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THE CYBER THREAT TO CONTROL SYSTEMS: 
STRONGER REGULATIONS ARE NECESSARY 
TO SECURE THE ELECTRIC GRID 


Wednesday, October 17, 2007 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Emerging Threats, Cybersecurity, 

AND Science and Technology, 

Washington, DC. 

The subcommittee met, pursuant to call, at 2:16 p.m. in Room 
311, Cannon House Office Building, Hon. James R. Langevin 
[chairman of the subcommittee], presiding. 

Present: Representatives Langevin, Lofgren, Etheridge, Green, 
Pascrell, Thompson, McCaul, Brown-Waite, and Broun. 

Mr. Langevin. The subcommittee will come to order. 

The subcommittee is meeting today to receive testimony on “The 
Cyber Threat to Control Systems: Stronger Regulations are Nec- 
essary to Secure the Electric Grid.” 

I will begin by recognizing myself for the purposes of an opening 
statement. 

Today’s hearing provides us with a prime opportunity to assess 
the future of cybersecurity and critical infrastructure protection in 
the United States. Today we will discuss two major issues: the ef- 
forts to implement cybersecurity standards within the electric sec- 
tor and a cyber vulnerability, known as Aurora, which was recently 
made public. 

Now, I will be blunt, if this administration doesn’t recognize and 
prioritize these problems soon, the future isn’t going to be pretty. 

The bulk power system in the United States and Canada has 
more than $1 trillion in asset value, more than 200,000 miles of 
transmission lines, and more than 800 megawatts of generating ca- 
pability, serving over 300 million people. The effective functioning 
of this infrastructure is highly dependent on control systems, which 
a computer-based system is used to monitor and control sensitive 
processes and physical functions. 

Once largely proprietary, closed systems, control systems are be- 
coming increasingly connected to open networks, such as corporate 
intranets and the Internet itself. As such, the cyber risk of these 
systems is increasing. 

Intentional and unintentional control system failures on the bulk 
power system could have a significant and potentially devastating 
impact on the economy, public health and national security of the 
United States. For a society whose every function depends on reli- 

( 1 ) 
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able power, the disruption of electricity to chemical plants, banks, 
refineries, hospitals, water systems and military installations pre- 
sents a terrifying scenario. 

Now, we will not accidentally stumble upon a solution to these 
problems. Instead, we must dedicate a lot of hard work and re- 
sources to secure our systems. To this end, the Federal Energy 
Regulatory Corporation, FERC, has recommended protecting the 
bulk power system against disruptions from cyber attacks by ap- 
proving a set of reliability standards developed by the North Amer- 
ica Electric Reliability Corporation, or NERC. 

Now, the proposed standards require certain users, owners and 
operators of the grid to establish plans, protocols and controls to 
safeguard physical and electric access to systems, to train per- 
sonnel on security matters, to report security incidents, and to be 
prepared to recover information. 

Two weeks ago, members of this committee, including myself. 
Chairman Thompson, Mr. McCaul, submitted comments to FERC 
Rulemaking. We believe that the standards proposed by NERC do 
not sufficiently ensure the production or delivery of power in the 
event of intentional or unintentional cyber incidents involving crit- 
ical infrastructures. The NERC standards focus on the reliability of 
the bulk power system as a whole, yet ignoring the Homeland Se- 
curity impact that loss of power in a region can have. The stand- 
ards, for example, won’t cover a significant number of assets that 
are critical to providing power throughout the country. 

As several witnesses will testify today, the NERC standards 
won’t require electric-sector owners and operators to secure their 
generation units, distribution units or telecommunications equip- 
ment. But we know from countless real-world examples that these 
units are highly vulnerable to intentional or unintentional cyber 
events. Knocking any of these units off could affect the power sup- 
ply to our Nation’s critical infrastructure. 

The readiness standards that would preclude these elements just 
isn’t good public policy. The technical experts agree with this asser- 
tion. According to research performed for NIST, the NERC stand- 
ards are inadequate for protecting critical national infrastructure. 
And GAO concurs with those findings. 

Now, I am concerned about the narrow scope of the standards, 
particularly in light of recent events. CNN recently reported that 
DHS researchers at the Idaho National Laboratory successfully de- 
stroyed a generator through an experimental cyber attack. This ex- 
periment was code-named “Aurora.” And we are going to have a 
brief video at the end of the testimony of our witnesses here that 
are here this afternoon. 

But officials tell me that malicious actors, insider terrorists, or 
nation-states could use the same attack vector against larger gen- 
erators and other critical rotating equipment, that they could cause 
widespread and long-term damage to the electric infrastructure. 
DHS, working through Idaho National Labs and DOE, have been 
deploying mitigation measures for many of the critical infrastruc- 
ture sectors. Naturally, we expect owners and operators of critical 
infrastructure would mitigate these vulnerabilities as quick as pos- 
sible. Unfortunately, I have reason to believe that the mitigations 
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developed by DHS and DOE have not been fully implemented 
across the electric sector. 

Today, the ranking member and I sent a letter to FERC Chair- 
man Joe Kelliher and asked him to commence an investigation to 
determine the extent to which the electric-sector owners and opera- 
tors have implemented these mitigation efforts. 

Despite the comments from industry that suggest otherwise, we 
in Congress believe that this is a serious problem. This sub- 
committee will continue its vigorous oversight of this critical aspect 
of our Nation’s homeland security. These are important issues. 

And, without objection, I would like to introduce into the record 
our comments to the FERC Rulemaking that we submitted on Oc- 
tober 5th, as well as the letter I provided Chairman Kelliher yes- 
terday, requesting the investigation. 

Prepared Opening Statement of the Honorable James R. Langevin, Chairman, 
Subcommittee on Emerging Threats, Cybersecueity, and Science 

Today’s hearing provides us with a prime opportunity to asses the future of cyher- 
security and critical infrastructure protection in the United States. We will discuss 
two major issues today: the efforts to implement cyhersecurity standards within the 
electric sector and a cyher vulnerability known as “Aurora” that was recently made 
public. I’ll be blunt — if this Administration doesn’t recognize and prioritize these 
problems soon, the future isn’t going to be pretty. 

The bulk power system of the United States and Canada has more than $1 trillion 
in asset value, more than 200,000 miles of transmission lines, and more than 
800,000 megawatts of generating capability serving over 300 million people. The ef- 
fective functioning of this infrastructure is highly dependent on control systems, 
which are computer-based systems used to monitor and control sensitive processes 
and physical functions. Once largely proprietary, closed-systems, control systems are 
becoming increasingly connected to open networks, such as corporate intranets and 
the Internet. As such, the cyber risk to these systems is increasing. 

Intentional and unintentional control system failures on the bulk power system 
could have a significant and potentially devastating impact on the economy, public 
health, and national security of the U.S. For society whose every function depends 
on reliable power, the disruption of electricity to chemical plants, banks, refineries, 
hospitals, water systems, and military installations presents a terrifying scenario. 
We will not accidentally stumble upon a solution to these problems. Instead, we 
must dedicate a lot of hard work and resources to secure our systems. 

To this end, the Federal Energy Regulatory Corporation (FERC) has rec- 
ommended protecting the bulk power system against disruptions from cyber attacks 
by approving a set of reliability standards developed by the North American Electric 
Reliability Corporation (NERC). The proposed standards require certain users, own- 
ers and operators of the grid to establish plans, protocols and controls to safeguard 
physical and electronic access to systems, to train personnel on security matters, to 
report security incidents, and to be prepared to recover information. 

Two weeks ago Members of this Committee, including myself. Chairman Thomp- 
son, and Mr. McCaul, submitted comments to the FERC rulemaking, we believe 
that the standards proposed by NERC do not sufficiently ensure the production or 
delivery of power in the event of intentional or unintentional cyber incidents involv- 
ing critical infrastructures. The NERC standard focuses on the reliability of the bulk 
power system as a whole, ignoring the homeland security impact that loss of power 
in a region can have. 

The standards won’t cover a significant number of assets that are critical in pro- 
viding power throughout the country. As several witnesses will testify today, the 
NERC standards won’t require electric sector owners and operators to secure their 
generation units, distribution units, or telecommunications equipment. But we know 
from countless real world examples that these units are highly vulnerable to inten- 
tional and unintentional cyber events. Knocking any of these units off could affect 
the power supply to our nation’s critical infrastructure. 

Writing a standard that would preclude these elements just isn’t good public pol- 
icy. The technical experts agree with this assertion, according to research performed 
for NIST, the NERC standards are “inadequate for protecting critical national infra- 
structure.” GAO concurs with those finds. I’m concerned about the narrow scope of 
the standards, particularly in light of recent events. CNN recently reported that 
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DHS researchers at the Idaho National Laboratory successfully destroyed a gener- 
ator through an experimental cyber attack. This experiment was code-named “Au- 
rora.” 

Officials tell me that malicious actors — insiders, terrorists, or nation states — could 
use the same attack vector against larger generators and other critical rotating 
equipment that could cause widespread and long-term damage to the electric infra- 
structure. DHS, working through Idaho National Labs, and DOE have been devel- 
oping mitigation measures for many of the critical infrastructure sectors. Naturally, 
we would expect owners and operators of critical infrastructure would mitigate 
these vulnerabilities as quickly as possible. Unfortunately, I have reason to believe 
that the mitigations developed by DHS and DOE have not been fully implemented 
across the electric sector. 

Today, the Ranking Member and I sent a letter to FERC Chairman Joe Kelleher 
and asked him to commence an investigation to determine the extent to which elec- 
tric sector owners and operators have implemented these mitigation efforts. Despite 
comments from industry that suggest otherwise, we in the Congress believe that 
this is a serious problem. This Subcommittee will continue its vigorous oversight 
over this critical aspect of our nation’s homeland security. 

Mr. Langevin. With that, that concludes my opening statement. 
And the Chair now recognizes the ranking member of the sub- 
committee, the gentleman from Texas, Mr. McCaul, for the pur- 
poses of an opening statement. 

Mr. McCaul. I thank the Chairman. I apologize for being a little 
bit late. It is not every day you see the President award the Dalai 
Lama the Congressional Gold Medal of Honor. 

I want to thank you for holding this hearing. And we have been 
working in a very bipartisan way on this issue because it is an 
issue of national security that impacts the American people and the 
security of the American people. 

The electric power grid and the generation and distribution 
equipment associated with it are amongst the most critical pieces 
of our country’s infrastructure. These systems, commonly known as 
the power grid, are the largest, most complex machines on the con- 
tinent, enabling power to be generated, transmitted and distributed 
to millions of individuals and businesses across North America. 

Despite the fact that the grid is highly reliable and has built-in 
redundancy, the ^id is dependent on its various parts. Due to the 
physics of transmitting electricity, the entire bolt power operates at 
the same frequency, so the grid could be vulnerable to cascading 
failures and long-term outages if the systems that control the pro- 
duction and flow of electricity are compromised. As we saw with 
Aurora, these systems can be compromised, and they are vulner- 
able. 

Another example would be the East Coast blackout in 2003, 
when an ordinary power outage, caused by a line coming in contact 
with a tree, was exacerbated by a software bug, leading to an 
alarm system failure that rippled across the East Coast. The 2003 
blackout was unintentional and, while costly, didn’t cause major 
disruption for more than 24 to 36|jhours. But it does, however, 
demonstrate that no grid can be threatened, when a relatively 
small number of systems fail. It also demonstrates that the grid 
can be threatened. 

Industrial control systems, computer systems designed to mon- 
itor and control industrial processes, have been increasingly con- 
trolled over networks and the Internet. This has created a much 
more efficient and easy-to-use system, but has also created a whole 
host of vulnerabilities. These vulnerabilities are exacerbated by the 
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fact that traditional cybersecurity solutions are not as easy to im- 
plement because the systems must run smoothly and continuously. 

Recently, the consequences of these cyber-based attacks have 
come to light, primarily on CNN. And it is crucial and critical that 
we move quickly in this country to secure these vulnerable sys- 
tems. 

The Department of Homeland Security has multiple initiatives 
under way to secure systems, as do a number of other agencies, as 
well as the private sector. The Department should take this oppor- 
tunity to consolidate those initiatives and draft an overall strategy 
that minimizes overlapping efforts and prevents gaps so that these 
critical systems are secured as quickly and effectively as possible. 

I look forward to this discussion and the discussion from the sec- 
ond panel, who will talk about cybersecurity standards and best 
practices within the industry. 

I believe that we can work together within the existing structure 
to ensure that the industry’s assets are adequately and safely pro- 
tected from threats and vulnerabilities. 

With that, I want to thank the witnesses for being here. And I 
yield back. 

Mr. Langevin. I thank the ranking member. 

The Chair now recognizes the chairman of the full committee, 
the gentleman from Mississippi, Mr. Thompson, for an opening 
statement. 

Mr. Thompson. Thank you very much, Mr. Chairman. And I 
thank you for your leadership on cybersecurity in this Congress 
and your continued oversight on this issue. 

Mr. Chairman, I often talk about vacancies within the Depart- 
ment of Homeland Security, because I think it affects our ability 
to protect and defend the United States. In that vein, I am con- 
cerned about the Department’s efforts in cybersecurity, particularly 
given the extraordinary number of vacancies that have opened up 
in the National Cybersecurity Division. Three critically important 
individuals — the director of the National Cyber security Division, 
the deputy director of outreach and awareness, and the director of 
the Control Systems Security Program — have all left the Depart- 
ment in recent months. I hope Assistant Secretary Garcia can pro- 
vide us information today about where we are in filling these im- 
portant positions. 

Of course, this is nothing new for DHS or the Cyber Division. 
The Control Systems Security Program, the subject of today’s hear- 
ing, has gone through countless program managers over the years. 
I believe the high rate of vacancies and turnover is affecting the 
Department’s ability to really move this country forward on control 
systems. 

Take the control systems strategy, for example. In 2005, DHS 
started working with interagency partners to develop a comprehen- 
sive control systems strategy that would encompass the public and 
private sectors, set a national vision to secure control systems, de- 
scribe roles and responsibility, and identify future requirements for 
resources and action. It is almost Spyears later, and not one prod- 
uct has been delivered. 

A Department working without key leadership sends a bad mes- 
sage to the private-sector owners and operators, who are essential 
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to securing critical infrastructure. How is the Department supposed 
to develop long-term relationships with these companies and indi- 
viduals when there is a different DHS face in every meeting? 

Similarly, how is the private sector supposed to react to the cyber 
initiative that was reported last month in the Baltimore Sun? Ac- 
cording to that article, NSA will be working with DHS and other 
Federal agencies to monitor critical infrastructure networks to pre- 
vent unauthorized intrusions. According to the article, up to 2,000 
people will be assigned to this endeavor. 

I wonder how this initiative is going to impact the public-private 
partnership that DHS has been developing. I have asked the De- 
partment to brief me numerous times on this initiative, but we 
haven’t heard a peep. I hope the Assistant Secretary can provide 
us with feedback today. 

Mr. Chairman, the American people deserve better. They deserve 
better leadership on this issue. And I hope that the next adminis- 
tration will reverse this unfortunate and dangerous path. I thank 
you for your leadership on this issue, and I yield back. 

Mr. Langevin. I thank the gentleman. 

Other members of the subcommittee are reminded, under the 
committee rules, opening statements maybe submitted for the 
record. 

I want to begin now by welcoming our first panel of witnesses. 

Our first witness, Mr. Greg Garcia, Assistant Secretary for Cy- 
bersecurity and Communications. Assistant Secretary Garcia over- 
sees the Department of Homeland Security’s mission to prepare for 
and respond to incidents that could degrade or overwhelm the oper- 
ation of the Nation’s information-technology and communications 
infrastructure. 

I want to welcome you here. Secretary Garcia. 

Our second witness, Gregory Wilshusen, is the director of infor- 
mation security issues at GAO, where he leads information-secu- 
rity-related studies and audits the Federal Government. 

I appreciate you being here, Mr. Wilshusen. 

And our third witness is Mr. Tim Roxey, the technical assistant 
to the president of Constellation Generation Group for Security. He 
is the deputy to the Chairs for both the Nuclear Sector Coordi- 
nating Council and the Partnership of Critical Infrastructure Secu- 
rity, and is the team lead for the Aurora mitigation efforts for the 
private sector. 

Mr. Roxey, thank you for being here, as well. 

Without objection, the witnesses’ full statements will be inserted 
into the record. And I now ask each witness to summarize their 
statement for 5 minutes, beginning with Assistant Secretary Gar- 
cia. 

And, Secretary, with all the vacancies that Chairman Thompson 
mentioned in his opening statement, I am glad to see that you are 
at least still on the job. Welcome. And thank you for being here. 

STATEMENT OF GREGORY GARCIA, ASSISTANT SECRETARY, 

OFFICE OF CYBERSECURITY AND COMMUNICATIONS, 

DEPARTMENT OF HOMELAND SECURITY 

Mr. Garcia. Thank you very much, Mr. Chairman. 
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Chairman Thompson, Ranking Member McCaul and members of 
the subcommittee, I do appreciate the opportunity to speak with 
you today about DHS efforts to strengthen the security and resil- 
iency of our Nation’s critical infrastructure. 

It is fitting that you are holding this hearing during National Cy- 
bersecurity Awareness Month, because it really helps to raise pub- 
lic consciousness about the importance of control systems security 
to our economic well-being and to our homeland security. 

I would also like to personally thank you and Mr. McCaul and 
your colleagues for your leadership in cosponsoring House Resolu- 
tion 716, which endorses the ideals of National Cybersecurity 
Awareness Month, and for your continued efforts to raise aware- 
ness of this critical issue. 

Control system — that is a term, a general term that encompasses 
several types of systems, including SCADA, that are most often 
found in the industrial sectors and critical infrastructures. The sys- 
tems typically are remotely controlled devices used to operate phys- 
ical processes in industries such as electricity, oil and gas, and 
water. 

Control systems are particularly important for the security of our 
country’s electric grid because of the significant interdependencies 
inherent with the use of energy in all other critical-infrastructure 
sectors. Therefore, securing control systems is vital to maintaining 
our Nation’s strategic interests, the public safety and economic 
prosperity. 

It is important to note that, because the private sector owns and 
operates 90 percent or so of the critical infrastructure that we need 
to protect, responsibility for securing our Nation’s control systems 
lies heavily with the private sector. That said, as lead for coordi- 
nating national critical infrastructure protection and cybersecurity, 
DHS established a Control Systems Security Program. And the 
goal is simple: to lead a cohesive effort between Government and 
industry, focused on reducing the risks to control systems that op- 
erate our critical infrastructure. 

How do we do this? We have a comprehensive approach to reduce 
risk by working closely with public and private partners. And it 
looks like this: We work with the control-systems vendor commu- 
nity to produce more secure systems; we work with the owners and 
operators to better secure their systems; and we work with the na- 
tional labs and the National Institute of Standards and Technology 
to develop technical guidance. And we are proud of these efforts to 
assist our public — and private-sector partners to identify and miti- 
gate direct risks to control systems. 

We have made significant progress toward this goal, and today 
I would like to highlight just a few of these successes. 

First, a key principle for our mission is that you can’t enhance 
security if you don’t know where your vulnerabilities are. In col- 
laboration with several Department of Energy national labs, we de- 
veloped the first widely available Control Systems Cybersecurity 
Self-Assessment Tool. It employs a systematic and repeatable ap- 
proach for owners and operators to assess the cybersecurity posture 
of their control systems. Further, it offers recommendation based 
on industry standards that are customized to the operating charac- 
teristics of each control systems facility. 
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The response to the tool has been tremendous. For instance, a 
key industry association for industrial manufacturing professionals 
has found the tool so valuable that they are making it available to 
their entire membership of over 30,000 professionals worldwide. 

Second, we sponsor the SCADA Procurement Project to help ac- 
quisition officials ensure that control systems they are buying or 
upgrading have the best security available. Government and indus- 
try representatives, including the multi-State ISAC, the Informa- 
tion Sharing and Analysis Center, the SANS Institute, and the 
DOE Idaho National Lab, developed this comprehensive guidance 
document. It offers standardized procurement language that com- 
panies can write into their contracts when they purchase new con- 
trol systems. The guidance is available at no charge, and over 450 
copies have been downloaded each month since it was posted in 
January of 2007. 

Third, people are at the heart of addressing the cybersecurity 
challenge, and control systems are simply no different. That is why 
we are focused on training and educating control systems profes- 
sionals on the best methods for securing and maintaining their sys- 
tems. Since 2005, we have trained nearly 7,000 IT and control sys- 
tem professionals through both classroom and Web-based instruc- 
tion modules. We have also developed curriculum for master’s de- 
gree programs to aid faculty in teaching our future business lead- 
ers the importance of control systems security. To date, it has been 
distributed to more than 100 faculty members at universities and 
related institutions. 

Fourth, an important aspect of our work in control systems secu- 
rity is in the area of standards. We have worked closely with NIST 
and other partners to improve technical guidance in their special 
publication series. In addition, we are about to release a catalog of 
control systems security standards that will serve as a foundational 
document, available for any industry to develop and implement cy- 
bersecurity standards specific to their operational requirements. 
The catalog is a compilation of practices inventoried from across 
the industry standards bodies and will provide a mechanism to 
identify gaps in existing standards and improve overall security. 

And fifth, applying the risk management and partnership frame- 
work outlined in the NIPP, the National Infrastructure Protection 
Plan, we lead recent activity to identify, validate and mitigate a 
control systems vulnerability affecting several critical-infrastruc- 
ture sectors. Federal agency partners worked with industry, tech- 
nical experts, to assess the vulnerability and to jointly develop sec- 
tor-specific mitigation plans. This enabled owners and operators to 
take specific actions to reduce the risk associated with the vulner- 
ability. And this is a great example of collaboration. This is exactly 
what was envisioned in the NIPP process. 

And we have also developed processes for sharing sensitive infor- 
mation with Government and industry stakeholders. Our US- 
CERT, the Computer Emergency Readiness Team, is charged with 
recording response to cyber attacks and is responsible for analyzing 
and disseminating cyber threat warning information. Control sys- 
tems security program personnel are currently collocated and work 
closely with US-CERT. This close relationship benefits the CERT, 
in terms of having the expertise necessary for control systems. And 
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they make themselves immediately available for assisting with re- 
sponses to incidents and the management of vulnerabilities related 
to control systems. 

I will wrap up. 

All of these efforts are informing our work to develop a com- 
prehensive control systems strategy with our Federal and our pri- 
vate-sector partners. The strategy lays out a national vision, roles 
and responsibilities, and identifies feature requirements for na- 
tional control systems security. Our goal is to release a final 
version of this national strategy in the first quarter of fiscal year 
2009. 

In conclusion, Mr. Chairman, securing control systems within our 
critical infrastructure, specifically within the electric grid, is a pri- 
ority for DHS. The work we have accomplished thus far exemplifies 
a successful collaboration model for strengthening the security pos- 
ture of our Nation’s control systems. It has also deepened our un- 
derstanding of the challenges that lay before us as we work to en- 
hance the security and resiliency of our Nation’s critical infrastruc- 
ture. DHS is committed to continuing to work with our partners to 
strengthen our national control systems preparedness and our pro- 
tection posture. 

Thank you for your time today, Mr. Chairman. And I am happy 
to answer any questions from the subcommittee. 

[The statement of Mr. Garcia follows:] 

Prepared Statement of Gregory Garcia 

Chairman Langevin, Ranking Member McCaul, and Members of the Sub- 
committee, I appreciate the opportunity to speak about the role the Department of 
Homeland Security (DHS) plays in securing control systems, including the tools and 
resources we have made available to owners and operators of control systems, our 
efforts to collaborate and share information with both the public and private sectors, 
and analysis of control system vulnerabilities to strengthen the Nation’s control sys- 
tem security posture. These efforts support one of the Department’s primary mis- 
sions of advancing preparedness. As October is National Cyber Security Awareness 
Month, I think it is particularly appropriate to highlight the importance of control 
systems security and to discuss our efforts to date to raise awareness of the chal- 
lenges and solutions to securing these important systems. I would also like to recog- 
nize Chairman Langevin’s and Ranking Member McCauTs leadership in promoting 
National Cyber Security Awareness Month’s goals, objectives, and activities among 
their colleagues and constituents through their Dear Colleague letter and co-spon- 
sorship of the Congressional Resolution. Raising awareness about protecting our 
critical infrastructures among home users, academic institutions, and businesses, in- 
cluding our control systems owners and operators, is fundamental to improving our 
preparedness posture. 

As the Assistant Secretary for Cybersecurity and Communications within DHS’ 
National Protection and Programs Directorate (NPPD), I oversee our mission to pre- 
pare for and respond to incidents that could degrade or overwhelm the operation 
of our Nation’s information technology (IT) and communications infrastructure. This 
responsibility includes the goal of ensuring the security, integrity, reliability, and 
availability of our IT and communications networks. Reducing risk to that portion 
of the 17 sectors designated as critical infrastructures is among Secretary ChertofFs 
highest priorities, and I am pleased to share with you the Department’s ongoing ef- 
forts to address this priority. 

“Control system” is a general term that encompasses several types of systems, in- 
cluding supervisory control and data acquisition (SCADA) systems, distributed con- 
trol systems (DCS), and Programmable Logic Controllers (PLC) often found in the 
industrial sectors and critical infrastructures. Control systems typically are re- 
motely controlled devices used to operate physical processes in industries such as 
electricity, water, oil and gas, chemical, transportation, pharmaceutical, pulp and 
paper, food and beverage, and discrete manufacturing (e.g., automotive, aerospace, 
and durable goods). These control systems are critical to the safe and secure oper- 
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ation of our highly interconnected and mutually dependent critical infrastructures. 
A successful cyher attack on a control system could potentially result in physical 
damage, loss of service, and/or economic impact. 

Ensuring the security of these systems is essential, and that responsibility lies 
heavily with the private sector, which owns and operates over 85 percent of the Na- 
tion’s critical infrastructures. DHS works closely with private sector owners and op- 
erators to provide expertise, analytical products, and education and training mate- 
rials that help control systems stakeholders identify and reduce direct risks for con- 
trol systems. DHS communicates and collaborates with many diverse organizations, 
including government agencies, industry associations, national laboratories, equip- 
ment vendors, and asset owners and operators to identify improvements and drive 
their adoption across the infrastructure community. Through its involvement in the 
community and public-private partnerships, DHS is able to successfully engage with 
private sector owners and operators on significant control systems cyber security 
challenges and enable their voluntary cooperation and participation in imple- 
menting improvements to enhance the overall preparedness and resilience of the 
Nation’s critical infrastructure. 

DHS has three main objectives for reducing cyber risk and securing control sys- 
tems: provide guidance, develop and enhance partnerships, and prepare for and re- 
spond to incidents. DHS also leverages the expertise and activities of operational 
programs and strategic initiatives from across the Department and the U.S. Govern- 
ment and integrates these activities to reduce risk, respond to incidents, and foster 
a culture of preparedness within the control systems community. 

DHS utilization of several information sharing mechanisms allows the Depart- 
ment to manage effectively the collection and dissemination of sensitive vulner- 
ability information, which ultimately enables us to raise awareness of 
vulnerabilities and risk management efforts among the control systems community, 
influence security practices to reduce risk, and raise the security bar across all the 
critical infrastructure sectors. 

First, DHS provides guidance to the control systems community through sev- 
eral mechanisms and activities, including risk reduction products, such as security 
implementation guidelines and recommended practices; outreach and awareness 
through education and training; and technology assessments to identify 
vulnerabilities. 

One of our recent accomplishments with regard to risk reduction products is the 
development and implementation of the Control Systems Cyber Security Self As- 
sessment Tool (CS2SAT), which employs a systematic and repeatable approach that 
allows owners and operators to assess the cyber security posture of their control sys- 
tems. Through the CS2SAT, users input facility-specific control system information. 
The tool then provides users with a picture of their control systems architecture and 
an assessment of their cyber security posture. It also makes recommendations for 
improvements. The recommendations are derived from industry cyber security 
standards and are linked to a set of specific actions that can be applied to mitigate 
the identified security vulnerabilities. The Instrumentation, Systems and Automa- 
tion Society (ISA), one of the largest global organizations for control systems, an- 
nounced on October 4, 2007 that it will make the CS2SAT available to their mem- 
bership, which consists of over 30,000 automation professionals. 

Another risk-reduction tool DHS sponsors for the control systems community is 
the Multi-State Information Sharing and Analysis Center (MS-ISAC) SCADA Pro- 
curement Project. We have worked closely with the MS-ISAC, the SANS Institute, 
the Department of Energy (DOE) Idaho National Laboratory, and representatives 
from government and industry to develop common procurement language that own- 
ers and regulators can incorporate into contracting mechanisms to ensure the con- 
trol systems they are buying or maintaining have the best available security. The 
long term goal is to raise the level of control systems security through the applica- 
tion of robust procurement requirements. The Procurement Project has received 
very positive feedback from users, and the document has averaged more than 450 
downloads per month from the MS-ISAC website where it was posted in January 
2007. 

DHS also provides education and training for our industry and government part- 
ners. Through our control systems security training courses, we have provided train- 
ing to nearly 7,000 IT and control systems professionals on a range of topics, such 
as identif 3 dng control systems vulnerabilities, conducting risk assessments, and ap- 
plying standards-based mitigation measures to improve security. We offer both 
classroom and web-based instruction modules and will be launching a new oper- 
ations security course later this month. The web-based training has been especially 
popular with our partners with geographically dispersed systems and personnel. 
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In addition, in coordination with academia we developed a graduate school cur- 
riculum for Masters of Business Administration and Masters of Public Policy pro- 
grams to aid faculty in developing courses on the security of critical infrastructures 
with an emphasis on control systems security. The curriculum provides materials 
on public policy, technical issues, and managerial principles associated with critical 
infrastructure resiliency. To date, the curriculum has been distributed to more than 
100 faculty members at universities and related institutions. 

DHS is working with the National Institute of Standards and Technology (NIST) 
to strengthen Federal standards and guidance regarding control systems security. 
Over the past year, NIST has been developing cyber security guidance and a compli- 
ance framework specifically tailored to control systems. The guidance component. 
Special Publication (SP) 800-82 (2nd draft), “Guide to Industrial Control Systems 
(ICS) Security,” provides an overview of control systems, identifies typical threats 
and vulnerabilities to these systems, and provides recommended security counter- 
measures to mitigate the associated risks. The compliance component. Special Publi- 
cation (SP) 800-63, “Recommended Security Controls for Federal Information Sys- 
tems,” defines the minimum security controls for Federal systems and was originally 
published in 2005 by NIST in accordance with the requirements outlined in the Fed- 
eral Information Security Management Act (FISMA). We have worked closely with 
NIST to develop SP 800-82, and to ensure that control systems security was incor- 
porated into the updated revised SP 800-53. These NIST standards together will 
provide important baseline security guidance for adoption by Federal owners and 
operators of control systems. 

We are also working with NIST and several of the DOE National Laboratories 
to develop a catalog of control system security standards. This comprehensive cata- 
log represents a compilation of practices inventoried from across the industry stand- 
ards bodies and provides recommendations for enhancements to standards to in- 
crease the security of control systems from both cyber and physical attacks. While 
many of today’s standards appropriately address security factors, detailed guidance 
is needed to ensure adequate protection from cyber attacks on control systems. This 
catalog is specifically designed to provide a framework for developing or enhancing 
technical aspects of security standards. When completed, the catalog will serve as 
a foundational document available for any industry using control systems to develop 
and implement cyber security standards specific to their individual operating re- 
quirements. 

Second, we are developing and enhancing dynamic, cooperative relation- 
ships with government, industry, academia, and our international counterparts to 
promote control systems security and leverage existing initiatives being conducted 
by government and industry. For example, DHS partners with other agencies to 
support research and development of secure technologies for control systems. Public- 
private partnerships are essential in our efforts to improve the security of control 
systems because, as noted previously, the private sector owns and operates most 
critical infrastructure. 

The National Infrastructure Protection Plan (NIPP) framework and supporting 
Sector-Specific Plans (SSPs) provide a coordinated approach to critical infrastructure 
protection roles and responsibilities for Federal, State, local, tribal, international, 
and industry security partners. Utilizing the NIPP framework, DHS directed recent 
activity to validate and mitigate a control systems vulnerability affecting a number 
of critical infrastructure sectors. Numerous Federal agency partners worked closely 
with industry technical experts to assess the vulnerability and to develop sector-spe- 
cific mitigation plans. We are pleased with the results of this partnership: it pro- 
duced jointly developed mitigation guidance and allowed owners and operators with- 
in the affected sectors to take deliberate and decisive actions to reduce significantly 
the risk associated with this vulnerability. 

Recognizing the importance of engagement with industry, DHS sponsors a num- 
ber of groups to foster close collaboration and information sharing among the control 
systems community. The Process Control Systems Forum (PCSF) was established to 
accelerate the design, development, and deployment of more secure control systems. 
The PCSF includes a variety of stakeholders including both national and inter- 
national representatives from government, academia, owners and operators, systems 
integrators, and vendors. 

The Control Systems Cyber Security Vendors’ Forum, a subgroup under the 
PCSF, facilitates communication in a trusted environment between industrial auto- 
mation and equipment suppliers and control system service providers. The Vendors’ 
Forum consists of 50 members from 27 domestic and international companies com- 
prising 90 percent of the market share providing service to all 17 critical infrastruc- 
ture sectors. 


VerDate Nov 24 2008 


13:19 Sep 04, 2009 Jkt 000000 PO 00000 FrmOOOIS Fmt 6633 Sfmt 6621 H:\DOCS\110-HRGS\110-78\48973.TXT MSEC PsN: DIANE 



12 


An example of this collaboration occurred earlier this year when members of the 
Vendors’ Forum worked together to address the potential effects on control systems 
caused by the date change in the Daylight Saving Time (DST) standard. The change 
in DST impacted control systems in over 19 countries. The control systems commu- 
nity recognized the importance of this issue and worked with the DHS National 
Cyber Security Division’s United States Computer Emergency Readiness Team (US- 
CERT) to develop a Technical Information Paper, “Daylight Saving Time Changes 
for 2007.” The paper provided guidance to industry on mitigation measures and has 
been downloaded from the US-CERT website more than 500 times between April 
and July 2007. 

Third, to prepare for and respond to ineidents, DHS is improving situational 
awareness, analyzing vulnerabilities, and sharing information. Owners and opera- 
tors can report general cyber incidents and vulnerabilities, including those related 
to control systems, to the US-CERT. Control systems technical experts are inte- 
grated into the US-CERT operations center to provide timely situational awareness 
information and assist with incident management. 

DHS has developed processes for sharing sensitive information related to control 
systems vulnerabilities with Federal, State, and local governments, and control sys- 
tems owners, operators, and vendors to improve control systems security within and 
across all critical infrastructure sectors. This process addresses the information flow 
from vulnerability discovery, to validation, public and private coordination, and out- 
reach and awareness, as well as identifies the deliverables and outcomes expected 
at each step in the process. Information sharing between the government and the 
private sector is essential to this process, and it allows both sectors to identify gaps 
in preparedness capabilities among public and private sectors, as well as identify 
policy issues that affect response and recovery. 

The process incorporates existing entities across the public and private sectors, in- 
cluding the Government and Industry Sector Coordinating Councils, the US-CERT, 
the Homeland Security Information Network (HSIN), and Information Sharing and 
Analysis Centers (ISAC). It also builds on established Departmental practices and 
procedures for the identification, validation, coordination, and communication of 
vulnerabilities across the critical infrastructure sectors. 

As part of this process, DHS relies on three primary mechanisms to communicate 
vulnerability information about control systems to the various stakeholders. The 
US-CERT National Cyber Alert System is utilized as a mechanism to share infor- 
mation about vulnerabilities to a broader audience. Vulnerability information is con- 
veyed via several products, including Vulnerability Notes that are released on a reg- 
ular basis to stakeholders in the control systems community. More detailed analyses 
of cyber vulnerabilities that may impact control systems are published via the Quar- 
terly Report on Cyber Vulnerabilities of Potential Risk to Control Systems, whose re- 
cipients include governments and members of the control systems community. Both 
of these reports are posted on the US-CERT Control Systems Portal and are avail- 
able to all portal members with access to the control systems section of the website, 
which encompasses representatives from the Federal, State, and local governments. 
Sector Specific Agencies, and control systems owners, operators, and vendors. 

In addition, DHS works with vendors, owners, and operators to perform vulner- 
ability assessments of selected systems to identify cyber vulnerabilities based on 
emerging exploits and partners with industry to develop mitigation strategies. DHS 
also works with control systems vendors, owners, and operators to share sensitive 
information through the Protected Critical Infrastructure Information (PCII) pro- 
gram so that private sector vulnerability data may be appropriately safeguarded. 

Finally, in Fiscal Year (FY) 2007, we began working with our Federal partners 
to identify baseline individual agency activities to serve as the foundation for devel- 
oping a comprehensive control systems strategy that will encompass the public and 
private sectors, set a national vision to secure control systems, describe roles and 
responsibilities, and identify future requirements for 5‘llresources and actions. The 
Department has developed a timeline to complete this action, building on work that 
has already been completed. In the first quarter of FY 2008, a draft of the Federal 
sector portion of the strategy will be released for review by government stake- 
holders. Working with sector representatives from the Partnership for Critical Infra- 
structure Security under the NIPP framework, we will then begin to develop a pri- 
vate sector component to integrate into the strategy. We intend to have a final com- 
prehensive strategy ready for release in the first quarter of FY 2009. 


VerDate Nov 24 2008 


1 3:1 9 Sep 04, 2009 Jkt 000000 PO 00000 Frm 0001 6 Fmt 6633 


Sfmt 6621 


H:\DOCS\1 10-HRGS\1 10-78\48973.TXT MSEC 


PsN: DIANE 



13 


Conclusion 

Securing control systems is an important priority for DHS because they are 
unique elements of our critical infrastructure. They are deployed ubiquitously and 
perform such vital functions that their disruption could severely impact citizens’ 
daily lives. DHS has developed a program that includes the development and dis- 
semination of tools, products, and guidance to the controls systems community, es- 
tablished mechanisms to work with our partners in both the government and indus- 
try, and developed capabilities to prepare for and respond to incidents. 

Ongoing education and training for the control systems community is imperative, 
as well as regular assessments of systems. We must continue to raise awareness of 
the threats to and vulnerabilities of control systems through our information shar- 
ing mechanisms and continue to incorporate security measures in control systems 
standards. The development, execution, and maintenance of a national control sys- 
tems security strategy is essential to managing our current and future efforts. The 
work we have accomplished so far has deepened our understanding of the challenges 
that lay before us, and we continue to work to strengthen our national control sys- 
tems preparedness and protection posture. 

Thank you for your time today, and I am happy to answer any questions from 
the Subcommittee. 

Mr. Langevin. Thank you, Mr. Secretary. 

I will now recognize Mr. Wilshusen to summarize his statement 
for 5 minutes. 

GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 

SECURITY ISSUES, GOVERNMENT ACCOUNTABILITY OFFICE 

Mr. Wilshusen. Chairman Langevin, Ranking Member McCaul 
and members of the subcommittee, thank you for the opportunity 
to testify at today’s hearing on the cyber threats to control systems. 

Control systems are computer-based systems that are used in 
many industries to monitor and control sensitive processes and 
physical functions. These systems provide vital functions in many 
of our Nation’s critical infrastructures, including electric power 
generation, transmission and distribution. 

Today I will discuss the cyber threats, vulnerabilities and impact 
of attacks on control systems, as well as private-sector and Federal 
initiatives to strengthen the security of these systems. 

Mr. Chairman, critical infrastructure control systems face in- 
creasing risk to cyber threats, vulnerabilities and the potentially 
severe impact of an attack. Cyber threats can be intentional or un- 
intentional, targeted or nontargeted, and can come from a variety 
of sources. Intentional threats include both targeted and nontar- 
geted attacks, while unintentional threats can be caused by soft- 
ware upgrades or system maintenance procedures that inadvert- 
ently disrupt systems. 

Sources of these threats include foreign nation-states engaged in 
information warfare, domestic criminals, hackers, virus writers, 
and disgruntled insiders working inside or within an organization. 
Federal and industry experts believe that critical infrastructure 
control systems are more vulnerable today than in the past, due to 
the increased standardization of technologies, the increased 
connectivity of control systems to other computer networks and the 
Internet, insecure connections, and the widespread availability of 
technical information about control systems. 

The impact of a serious attack could be devastating, as the fol- 
lowing examples demonstrate. In an intentional targeted attack, an 
individual who is rejected for a job opening reportedly used a radio 
transmitter to remotely break in to the controls of an Australian 
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sewage-treatment system. He altered electronic data for sewage 
pumping stations, which subsequently resulted in them to malfunc- 
tion, ultimately releasing about 264,000 gallons of raw sewage into 
nearby rivers and parks. 

A foreign hacker penetrated security at a Harrisburg, Pennsyl- 
vania, water-filtering plant and installed malicious software that 
was capable of infecting the plant’s water-treatment operations. 
The infection occurred through the Internet and did not seem to be 
an attack that specifically targeted the control system. 

And in an unintentional incident, two circulation pumps at Unit 
3 of the Browns Ferry, Alabama, nuclear power plant failed, forcing 
the plant to be shut down manually. The failure of the pumps was 
traced to excessive traffic on the control system network, possibly 
caused by the failure of another control system device. 

The private sector and Federal agencies have multiple initiatives 
under way to help secure control systems. Indus try-specific organi- 
zations in various sectors, including the electricity, oil and gas, and 
water sectors, have ongoing initiatives to develop standards, pub- 
lish guidance and host workshops. 

Federal agencies, including DHS, DOE and others, have also ini- 
tiated efforts to improve the security of critical infrastructure con- 
trol systems. These include coordinating with the US-CERT to pro- 
vide timely information about vulnerabilities and incidents, devel- 
oping a Control System Cybersecurity Self-Assessment Tool for con- 
trol system owners and operators, establishing the National 
SCADA Test Bed Program and publishing security guidance. 

However, DHS has not yet established a strategy to coordinate 
the various control systems activities across Federal agencies and 
the private sector. In addition, more can be done to address specific 
weaknesses in DHS’s ability to share information on control system 
vulnerabilities. 

In a report being released today, we recommend that the Sec- 
retary of Homeland Security develop an overarching strategy to 
guide efforts for security control systems and establish a rapid and 
secure process for sharing sensitive vulnerability information with 
control system stakeholders. 

Until DHS implements these actions, increased risk exists that 
the Federal Government and private sector will with invest in du- 
plicative efforts, miss opportunities to learn from the activities of 
others, and not be timely informed about key vulnerabilities that 
expose control systems to an increased risk of disruption. 

Mr. Chairman, this concludes my statement, and I would be 
happy to answer any questions that you or members of the sub- 
committee may have. 

[The statement of Mr. Wilshusen follows:] ^ 

Mr. Langevin. Thank you, Mr. Wilshusen. 

I want to now recognize Mr. Roxey to summarize your statement 
for 5 minutes. 


^ See committee file. 
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STATEMENT OF TIMOTHY E. ROXEY, TECHNICAL ASSISTANT 
TO THE PRESIDENT OF CONSTELLATION GENERATION GROUP 

Mr. Roxey. Chairman Langevin, Ranking Member McCaul and 
members of the subcommittee, thank you very much for allowing 
me the opportunity to come and talk to you today. 

As previously indicated, I am the team lead for the Aurora miti- 
gation efforts in the private sector, and that is part of my hat for 
deputy to the Partnership for Critical Infrastructure Security. 

I am here today to discuss the successful private-public partner- 
ship model of the national infrastructure plan and how this part- 
nership brought about successful mitigation without any need for 
significant regulatory action by any Federal agency. My discussion 
will fall into three areas: actions taken within the private-public 
partnership model, preliminary lessons learned and some con- 
cluding remarks. 

The actions taken started when the private sector was ap- 
proached in late February by Department of Homeland Security. 
The information being conveyed to us at that time was stressed as 
being very sensitive, and we were also told the Department of 
Homeland Security was keeping this information at the FOUA 
level, rather than classified, because, in recognition of the fact that 
85 to 90 percent of the Nation’s critical infrastructure is owned, op- 
erated and secured by the private sector, the classification of such 
information would make it very difficult, if not impossible, to rap- 
idly move forward to mitigation. 

Mitigation actions were developed by my team and the electric 
sector team, with the partnership of Homeland Security and the 
Idaho National Labs subject-matter experts. And they fell into basi- 
cally two categories: the short-term, mid-term, long-term mitigation 
strategies, which are things that you can do to step through and 
reduce and mitigate exposure; and then a set of immediate actions 
that, had this risk been brought out into the public a lot earlier, 
we may have had a threat, therefore we may have had to step 
briskly into some immediate actions. It is gratifying to state right 
now that that has not been the case. 

Support from DHS, DOE and the national labs was essential in 
the development of these strategies. In addition, DHS has main- 
tained a very strong presence within the nuclear sector throughout 
the mitigation strategy’s implementation phase. This effort is, in 
our opinion, a very strong example of effective public-private part- 
nership. 

When the mitigation documents were completed, roughly June, 
June 13th I believe, of this year — so between March and June 13th, 
we developed these documents. They were approved by the Nuclear 
Sector Coordinating Council, the Electric Sector Coordinating 
Council, and transmitted through those councils to the sectors on 
June 20th and 21st. 

The NRC also put out a letter on June 20th, and coordinated 
with the nuclear sector document, requesting that at 60 days and 
180 days we report back to the NRC the progress that we had 
made in implementing those developed strategies. Each of the sec- 
tor mitigation strategies, like I said, identified a 60 — and 180-day 
requirement in the nuclear sector. And the NRC’s letter was their 
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regulatory footprint on this issue to try and drive an understanding 
of the concern to get mitigation accomplished. 

Some have asked why the nuclear sector took this initiative on 
as a commitment. The nuclear power sector, one of the 18 critical 
infrastructures within the Partnership for Critical Infrastructure 
Security, is prohahly the most bounded sector in the United States. 
There are 65 physical sites, 104 power plants and a well-organized 
Nuclear Energy Institute, our industry association. We have a 
strong regulator in our area, the Nuclear Regulatory Commission. 
So it is a very tight box, and we can driving solutions on this very 
quickly. And it was felt that we could make these actions a com- 
mitment on ourselves and execute them within a time frame. 

On June 20th, these actions started off. September 20th, these 
actions were 100 percent successfully mitigated in the nuclear sec- 
tor and all electric-sector assets that are adjacent to nuclear-sector 
assets. That is a very substantial accomplishment. 

A few lessons learned, if I could. 

Effective, voluntary public-private partnership is the key to time- 
ly mitigation of security vulnerabilities. Proactive industry actions, 
endorsed by a Federal agency with oversight responsibilities, led to 
reducing the risk to our Nation’s nuclear infrastructure in a timely 
manner. 

Trust the technical experts and involve them in all communica- 
tions. Bring them along to meetings and briefings. 

Bring a vetted industry group into the conversation as soon as 
possible to validate and partner with researchers. Sector leads from 
PCIS may be an appropriate group, along with their technical ex- 
perts. PCIS is an appropriate vehicle to ensure that there is a 
broad review across many sectors. 

Consistent common messaging provides consistent common miti- 
gation, a common message that all affected sectors received. In this 
case, there are some mixed messages, but we worked very hard to 
fix that. 

Single point of contact facilitates effective coordination. We did 
have a single point of contact within the Department of Homeland 
Security, and that was a very effective tool for us to use as we 
stepped through. 

Concluding remarks: I would like to just jump right to the-addi- 
tionally, the public-private partnership model should be nurtured 
and continued. Early engagement of private-sector leadership 
through interaction between DHS, PCIS and the vulnerability re- 
searchers is an excellent way to fully vet the emerging vulner- 
ability with both DHS and the SMEs from other Federal agencies 
and the private sector. 

These efforts should start with effective awareness campaigns to 
educate all sectors about the risks that they currently face, fol- 
lowed with clear guidance on appropriate mitigation measures for 
the newly discovered risk. This guidance should contemplate all as- 
pects of the technology life cycle, including improved development 
standards, implementation guidelines, operating procedures and in- 
cident response. 

Good progress has been made by progressive asset owners, indus- 
try-initiated infrastructure protection leadership, and by vendors 
willing to anticipate larger market-driven requirements for more 
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security. Security, including cybersecurity, is best enhanced by con- 
tinuing to build trust relationships and voluntary coordination and 
cooperation using the sector partnership framework. The 
nimbleness that effective security requires in the modern world 
makes these trust relationships our best defense. 

Finally, the nuclear sector, in close coordination with our Gov- 
ernment coordinating council partners, did mitigate and close off 
this vulnerability before the threat became known and without new 
regulations. 

Thank you very much. I would be happy to answer any ques- 
tions. 

[The statement of Mr. Roxey follows:] 

Prepared Statement of Timothy E. Roxey 

Mr. Chairman and Members of the Subcommittee: 

I am Tim Roxey, Technical Assistant to the President of Constellation Generation 
Group for security and Deputy to the Chairs for both the Nuclear Sector Coordi- 
nating Council (NSCC) and the Partnership for Critical Infrastructure Security 
(PCIS). I am also the team lead for the Aurora mitigation efforts for the Private 
Sector. 

In this last role I collaborate with subject matter experts (SME) (Research Engi- 
neers from Idaho National Labs (INL) and their contractors. . .who discovered the 
present vulnerability, Industry SME from all of the impacted Critical Infrastructure 
Sectors, Department of Homeland Security (DHS) and Department of Energy (DOE) 
SME and officials) in order to develop mitigation strategies to thwart the exploi- 
tation of the cyber vulnerability which threatens our critical infrastructure. Before 
becoming a Technical Assistant and Deputy to the Chairs of NSCC and PCIS I was 
a director of IT at one of our Nation’s Nuclear Power Plants. In this role I was re- 
sponsible for all telecommunications, IT applications and Cyber Security for the en- 
tire nuclear fleet. In addition, I was the nuclear sector’s Chairman of a standing 
committee dedicated to Cyber Security. I was a founding member of the Nuclear En- 
ergy Institute’s (NEI) cyber security task force; formed shortly after 9/11, the task 
force’s purpose was to write an assessment and mitigation guidance document for 
nuclear power plants. This document, NEI 04-04: Cyber Security Program for 
Power Reactors was endorsed by the NRC and found an acceptable method to ad- 
dress cyber security. Since the endorsement of NEI 04-04 the NRC has proposed 
regulations for cyber security that are consistent with NEI 04-04. 

I have also had former senior level governmental interactions when I worked with 
Vice President A1 Gores’ National Performance Review as a private sector Industry 
Sector Liaison. In this capacity I was charged with bringing Industry’s requirements 
for regulatory interactions into a discussion with various federal sector agencies. 

I am here today however, to discuss the successful use of the Public-Private Part- 
nership model discussed in the National Infrastructure Protection Plan (NIPP). This 
partnership brought about the mitigation of the recently identified control system 
vulnerability (CSV) without the need for significant regulatory action by any federal 
agency. My discussion will fall into two areas as they relate to the present vulner- 
ability. These areas are: 

(1) Actions taken within the Public-Private partnership - structures and proc- 
esses which reduce risk of vulnerability 

(2) Preliminary lessons learned — a look back on this effort to help improve the 
performance of the Public/Private Partnership model’s performance. 

(3) Concluding Remarks 

Actions Taken 

The Nuclear Sector was approached by DHS about the Aurora vulnerability in 
February of 2007. At this initial briefing it was decided that a more through briefing 
would be given to a select sub-group of the NSCC. It was also stressed that this 
subject is very sensitive and hence needed to be protected from disclosure. 

To this final point DHS worked very hard to make sure that the Aurora issue re- 
mained at a FOUO level rather than being classified at a higher level. This decision 
was based on the fact that it is the private sector that owns, operates, and secures 
roughly 85% of all of our nation’s critical infrastructure and key resources. By hav- 
ing the knowledge of this vulnerability classified it would have been difficult if not 
impossible for the private sector to develop and implement mitigation strategies as 
rapidly as it has. 
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In late February DHS officials from Infrastructure Protection briefed the details 
of the Aurora vulnerahility to the NSCC. At this meeting the nuclear sector decided 
to take aggressive action to develop and implement mitigations that would reduce 
the exposure of the nuclear power facilities to this vulnerahility. 

A multilevel structure was developed within the nuclear sector and individuals as- 
signed. The structure consisted of an Executive Review Board that reported to the 
NSCC and a Technical Task Team that was charged with development of guidance 
document for industry to use to perform mitigation activities. 

The nuclear sectors’ Aurora Technical Team worked in close coordination with the 
Electric Sectors’ technical team in the development of mitigation documents. The 
nuclear sectors Technical Team also worked in close coordination with its govern- 
ment partners including strong coordination with the NRC. 

The various mitigation actions that were developed were divided into two areas. 
One area was short-term, mid-term, and long-term actions and the second area was 
a set of actions designed to he implemented immediately if the specific vulnerahility 
was actually being exploited. It is gratifying to say that the immediate actions have 
not been needed. The shortest term actions were targeted at substantially reducing 
the exposure to the vulnerably and the longest term actions were designed to make 
improvements in the supply chain and stand up programmatic actions. 

'The support from DHS, DOE, and the national labs (such as Idaho National Labs) 
in the rapid development and implementation of these mitigation documents was es- 
sential. In addition DHS has maintained a strong presence with the nuclear sector 
throughout these mitigation efforts. This effort is an example of the very effective 
Public-Private partnership. 

When the mitigation documents were completed they were routed through the 
NSCC and ESCC for approval and then scheduled for release to industry. The re- 
lease of the Nuclear Sectors mitigation document was coordinated with the release 
of the Electric Sectors (ES) Information Sharing and Analysis Centers (ISAC) Advi- 
sory which was released one day after the Nuclear Sector mitigation document. 

Based on the endorsement of the NSCC, the Nuclear Sector Technical Task Team 
added additional resources such as a Project Manager to manage the actual imple- 
mentation phase of the mitigation work. A kick off meeting was held in Washin^on 
DC on June 13 with a final release to the industry of mitigation documents made 
the following week. 

Within the nuclear sector a series of weekly meetings between the nuclear sector 
Technical Team (comprised of representatives from INL, DHS, and Industry) and 
the various points of contact for all of the nation’s nuclear power plants was con- 
vened and mitigation efforts began. To monitor the sectors performance the Tech- 
nical Task Teams’ PM prepared status reports for the Executive Review Board and 
DHS. These reports were updated every week based on the weekly meeting report 
out by all of the nuclear utility participants. 

Each of the sector mitigation documents urged that actions be taken within 60 
days and then again different actions within 180 days. The NRC in a letter, coordi- 
nated for release along with the sectors’ mitigation document, requested that the 
nuclear sector licensees provide an update to the NRC on progress made at the com- 
pletion of the 60 days and 180 day efforts. 

Why did Nuclear take this initiative on as a requirement? The nuclear power sec- 
tor took this opportunity to demonstrate its commitment to security. The sector rec- 
ognized the validity of the vulnerability, and because the sector is well structured 
to handle these types of emergent issues, with only 65 physical sites and 104 power 
plants and a well organized industry association (the Nuclear Energy Institute), it 
was feasible to develop a uniform mitigation plan that sector members could imple- 
ment within the desired time frame. 

Lessons Learned 

1. An effective, voluntary public-private partnership is the key to timely 
mitigation of security vulnerabilities. Proactive industry actions, endorsed 
by a federal agency with oversight responsibilities, are effective in reducing the 
risk to our nation’s nuclear infrastructure in a timely manner without the 
delays or exposure of sensitive information that the due process requirements 
of regulatory action could necessitate. 

2. Trust the technical experts and involve them in all communications. 

Bring them along to meetings and briefings for support. Several times it seemed 
that the message changed as it moved from the technical experts to the policy 
experts. When non-technical people brief on technical aspects to technical peo- 
ple there is a high risk of losing credibility and it becomes difficult to recover. 

3. Bring in a vetted industry group ASAP to validate and partner with 
researchers. This group will validate the conclusions of the researchers and fa- 
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cilitate expedient response by private sector owners and operators, because 
their involvement lends credibility to the message. Sector leads from PCIS may 
be an appropriate group, as long as they bring their technical experts to the 
table as well. In this regard, PCIS is an appropriate vehicle to ensure that there 
is a broad review across many sectors. 

4. A multi-sector implementation plan is needed to provide cross-sector 
coordination. An implementation plan should be developed that addresses the 
sequence of sector engagement based upon a full discussion between the public 
sector and private sector. Although in the present effort this was performed suc- 
cessfully this step needs to be institutionalized so that future discoveries can 
benefit from this step. This plan should address the sector and assets to address 
first then second then third, etc. 

5. Consistent common messaging provides consistent common mitigation. 

There should be a common message that all effected sectors receive. In this par- 
ticular case there are mixed messages. After 16 months of research and 5 
months of multi-sector mitigation strategy development there are still some 
messages saying this is not a significant issue because of the difficulty of ex- 
ploiting it and others saying it is. 

6. Single point of contact facilitiates effective coordination. The establish- 
ment of a single point of contact within DHS was of great utility to the Private 
Sector. This single point of DHS contact provide for consistent and sustained 
coordination with the subject matter experts of INL and the private sector team 
of subject matter experts and the Aurora Technical Team’s lead. This support 
was instrumental in the achievement of nuclear sectors 60 day mitigation and 
the electric sectors mitigation of nearby electric sector assets. 

Concluding Remarks 

The course of action that is recommended for any future discovered vulnerability, 
in light of the success of the present mitigation efforts, leads to the conclusion that 
continued decisive and coordinated private sector partnerships leads to a better vet- 
ting of vulnerabilities and a faster response via mitigation. In addition, these ac- 
tions can take place much faster than the regulatory rule making process. This was 
shown to be the case within the nuclear sector. 

Additionally, the course of action that is recommended for any future discovered 
vulnerability, in light of the success of the present mitigation efforts, leads to the 
conclusion that continued decisive, coordinated, and committed effort by govern- 
ment, and private sector leadership within the framework of the Public Private 
Partnership model should be nurtured and continued. Early engagement of private 
sector leadership through interaction between DHS, PCIS and the vulnerability re- 
searchers is an excellent way to fully vet the emerging vulnerability with both DHS 
(and SME’s from other federal agency’s) and the private sector. 

These efforts should start with effective awareness campaigns to educate all sec- 
tors about the risks that they currently face, followed with clear guidance on appro- 
priate mitigation measures for the newly discovered risk. This guidance should con- 
template all aspects of the technology lifecycle, including improved development 
standards, implementation guidelines, operations procedures, and incident response. 
Good progress has been made by progressive asset owners, industry-initiated infra- 
structure protection leadership and by vendors willing to anticipate larger market- 
driven requirements for more security. Security, including cyber security, is best en- 
hanced by continuing to build trust relationships and voluntary coordination and co- 
operation using the sector partnership framework. The nimbleness that effective se- 
curity requires in the modern world makes these trust relationships our best de- 
fense. 

Mr. Langevin. I want to thank the witnesses for their testimony. 
And I will remind the members that each member will have 
5|iminutes to question the panel. 

And I recognize myself now for the purpose of asking questions. 
Secretary Garcia, I would like to start with you. In your written 
statement, it says that you were pleased with the results of the 
public-private partnership on Aurora because you developed miti- 
gation guidance. Now, guidance is good, but this committee is most 
concerned about mitigation implementation. 

So my question is, what percentage of the electric-sector owners 
and operators do you believe implemented the Aurora recommenda- 
tions issued by NERC? 
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Mr. Garcia. Yes, Mr. Chairman, we would rely on the industry 
sector leads to collect that information, as that is something that 
we don’t collect nor compel. But we do understand that the mitiga- 
tion strategies were sent out to hundreds of electric-sector owners 
and operators. And, as Mr. Roxey indicated for the nuclear sector, 
he reported about 100 percent mitigation. 

So we are looking to continue the partnership with the private- 
sector leads to monitor how well that implementation is going. But 
for specific numbers, I don’t have that for you today. 

Mr. Langevin. But Mr. Roxey, in the comments that he was 
making, was speaking specifically about the nuclear sector and not 
the electric grid. So we may have had success on the nuclear side 
and in securing SCADA systems, but not necessarily on the electric 
side. 

Now, I think that is an area where Homeland Security has to be 
much more proactive, in making sure that the mitigation strategies 
were actually implemented. 

Mr. Garcia. Absolutely, sir. 

Mr. Langevin. We clearly don’t want to find out that we knew 
there was a problem, we expected mitigation to take place, and yet 
it wasn’t. And we don’t want to find that out only after something 
were to happen, an attack occurs or, whether it is intentional or 
unintentional, something shuts down the power grid. 

Mr. Garcia. Yes, sir. And we also rely heavily on our Federal 
partner on this, FERC, who you will be hearing from in the next 
panel, who is keeping up that close relationship with the electric 
sector to monitor progress in that area. 

But this is something that DHS takes very seriously. And we 
continue to push on this with all sectors, because we are concerned 
with common vulnerabilities, control systems vulnerabilities, across 
all the critical sectors. So we are trying to raise awareness of this 
not just in the electric sector and nuclear, but to many other crit- 
ical sectors. 

Mr. Langevin. Well, Assistant Secretary Garcia and Mr. 
Wilshusen, have you reviewed our comments to the FERC Rule- 
making? And, if so, do you agree with our assessment that the nar- 
row definition of critical assets allows the electric industry to avoid 
securing many connective devices? 

Mr. Wilshusen. Yes, we have taken a preliminary look at your 
comments, as well as those of the requirements that NERC has es- 
tablished and the reliability standards. And, yes, we do have some 
concerns about the extent to which these standards and regulations 
apply to those types of assets. 

We believe that, in many cases, that they do not appear to con- 
sider, one, the interdependencies of critical infrastructure on the 
bulk electrical system. And they also appear to identify only those 
assets which could have an impact on the availability or reliability 
of the bulk electrical system, and does not necessarily identify 
those assets or cover those assets that, while they may not have 
an impact on the overall bulk electrical system, they could have a 
significant localized impact on critical infrastructures that are sup- 
ported by the bulk electrical system. 

Mr. Langevin. Yes, that is an important point. 

Secretary Garcia? 
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Mr. Garcia. Mr. Chairman, we are trying to get standards that 
all industry sectors can deploy against vulnerabilities to their con- 
trol systems. And certainly, the NIST standards ought to be heav- 
ily considered in all critical infrastructure control systems stand- 
ards development, in addition to sector-specific operational require- 
ments. 

So while we don’t have specific guidance on each sector for what 
standards they ought to deploy, we think that they ought to be able 
to effectively combine the NIST standards with those that are spe- 
cific to their sector. 

And on the electric sector, I think our friends in FERC may have 
more comment on that. 

Mr. Langevin. But do you agree that our assessment that the 
narrow definition of critical assets allows electric industry to avoid 
securing many connected devices? 

Mr. Garcia. I would actually prefer, on a question of that specific 
detail, to defer to FERC on making the judgment about the sectors 
implementation. 

Mr. Langevin. Mr. Wilshusen, the committee asked GAO to com- 
pare the NERC standards with NIST 800-53. Can you briefly de- 
scribe your conclusion? 

Mr. Wilshusen. Yes. We found that the NERC reliability stand- 
ards contained less stringent security requirements and guidelines 
than the NIST guidance. The NERC standards do not provide lev- 
els of protection from cyber attacks commensurate with the manda- 
tory minimum low-baseline level of protection required by NIST. 

For example, NERC standards addressed only a subset of a low — 
and moderate-baseline control set specified in 800-53. And this 
subset may not be adequate for protecting critical national infra- 
structure control systems, especially when considering the inter- 
dependencies of the critical infrastructures. And further, it may not 
be adequate for all electrical energy systems when the impact of re- 
gional and national power outages is considered. 

Mr. Langevin. I thank you, Mr. Wilshusen. 

The Chair now recognizes the — before I turn it over to the rank- 
ing member, I think this is something we are going to have to take 
a harder look at. Because why NERC would have standards that 
are below NIST when the Federal Government has to comply with 
NIST standards and the larger impact potentially would be in the 
private sector and why NERC would adopt standards which aren’t 
on par to NIST is beyond me. And this is something we are going 
to pay particularly close attention to. If need be, legislation would 
be required to require that standard to be on par. 

With that, the Chair now recognizes the ranking member for 
5pminutes. 

Mr. McCaul. I thank the Chairman. And, as you know, we are 
in agreement on that issue. 

I recall being briefed, I think it was last January — we had just 
got sworn into the new Congress, and we got briefed on this signifi- 
cant vulnerability — and at that time, it was a closed-door session; 
it has come out on the news now — but the vulnerability that could 
potentially shut down our power grids in this country and bring 
tremendous destruction. 
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We know that 25 nations have developed cyher warfare pro- 
grams, so the capability, this type of capability in the wrong hands 
of a rogue nation or a terrorist state could be devastating. 

But I also believe that credit is due where it is due. And I think 
that the fact that we discovered this, through the Idaho National 
Labs, on our own, proactively, and Mr. Garcia, working with the 
Department Homeland Security, and, Mr. Roxey, your coordination 
on the mitigation strategy with the private sector, is to be com- 
mended. 

And that is really what, I think, in the Congress, we want to see, 
is instead of being behind the curve and catching up — and we know 
the vulnerabilities are huge and the intrusions happen all the time. 
This was actually a good-news story and an example of where we 
discovered the vulnerability, not some foreign entity or some crimi- 
nal. We found it first. We fixed it. And then by June, Mr. Roxey, 
you put your plan of action, mitigation strategy into action. Within 
60 days, the nuclear sector was protected. The electricity, I think 
it will take 120 days. 

But I think that is an important point to make. I mean, you are 
really to be commended for what you did. I know sharing informa- 
tion, which we require you do with the Congress, always makes 
you a little nervous, because you don’t know what is going to hap- 
pen with that information. But this was a good-news story. I mean, 
we really stopped a serious thing from being a serious threat to the 
United States. And I think it is great news. 

And, Mr. Wilshusen, I agree with you. I think an overarching 
strategy is what we need at the Department of Homeland Security. 

Mr. Garcia, I know you are working on that. 

And I think the coordination with the stakeholders through the 
private sector is critically important. And, Mr. Roxey, through your 
testimony, I think you’ve demonstrated that, in large part, that is 
working, through the ISACs, the Information Sharing Analysis 
Centers. That is what was actually put into place through the miti- 
gation strategy, and it is working. 

My question, without going into a sermon up here, is, what can 
we do to see more of this? 

What can you do, Mr. Garcia, at the Department of Homeland 
Security to proactively find vulnerabilities that are out there, be- 
fore our enemies do, and then fix them and then mitigate the po- 
tential damage that can be done? 

And that is for the entire panel. 

Mr. Garcia. Congressman, thank you for the question and for 
the compliment. I very much appreciate it. 

My response as to what you can do is, you are doing it right now. 
Having public hearings like this that are raising the issue and rais- 
ing the awareness ab^out the range of vulnerabilities that we face 
to our critical infrastructure really is the first step to get people to 
sit up and pay attention, particularly the owners and operators of 
the infrastructures that they have responsibility for protecting. 

You are correct that this was a vulnerability that we initially 
identified, hypothesized that this could actually happen. We under- 
stood that, as Mr. Wilshusen has pointed out, that the control sys- 
tems vulnerability — we have known for some time that there are 
vulnerabilities in control systems. What made this one different is 


VerDate Nov 24 2008 


13:19 Sep 04, 2009 Jkt 000000 PO 00000 Frm 00026 Fmt 6633 Sfmt 6601 H:\DOCS\110-HRGS\110-78\48973.TXT MSEC PsN: DIANE 



23 


that the vulnerability was susceptible to cyber attack that would 
have a physical impact on a structure such as a generator. 

And since the time that we had gone through the mitigation 
strategy with the private sector, with nuclear and electric, we 
learned quite a lot about how to work this process. I mean, this 
case, this really was the first instance that we had put the Na- 
tional Infrastructure Protection Plan, the sector-specific plans to 
work. This was a model for how Federal agencies work together, 
to work with their private-sector counterparts. So DOE, Defense 
Department, DHS, several other agencies worked very closely with 
their industry counterparts. 

We have a number of lessons learned out of that process that I 
can tell you we are only going to be more effective and more expe- 
ditious as we continue to look for and discover, identify 
vulnerabilities to various other control systems. And since nuclear 
and electric, we have worked with the private sectors from chem- 
ical, oil and natural gas, dams and water. And last month, in Sep- 
tember, those industry sectors sent out mitigation strategies for 
their control systems. 

So we are moving apace, with all due diligence and good speed, 
to attack these vulnerabilities very quickly. 

Mr. McCaul. Thank you. 

And Just very briefly, Mr. Roxey. 

Mr. Roxey. I would like to add to what Mr. Garcia just said, 
that, by pursuing and nuturing the public-private partnership 
model, you are going to be doing exactly what you are after. The 
other sectors, the water/dam, chemical, oil and gas sector, that are 
out there right now on their 60 -day clock — that is where the 180 - 
day clock for electric is — they are going to be calling their electric 
sectors in to mitigate those assets as well. 

So I think that this was — and we appreciate the kudos. Thank 
you very much. By looking at the lessons learned from this and im- 
plementing those, I think we are only going to get better from here. 
Thank you. 

Mr. WiLSHUSEN. And I would just like to add, too, that one of the 
key things that both the public and private sector will need to do 
as they increasingly use IP protocols, in terms of being able to con- 
nect to their control systems with other company networks on the 
Internet, to be aware of the risk of the increased accessibility and 
interconnectivity. And then to learn from the examples that are le- 
gion in the regular Federal IT space, that there are significant 
risks and vulnerabilities associated with interconnecting systems, 
and to take the appropriate steps to mitigate those risks by devel- 
oping the policies, procedures and controls, and then testing those 
techniques and controls to make sure that they are effectively im- 
plemented and operating as designed. 

And then, once you have that, as we have discussed and the 
other members have mentioned, is to make sure to keep the lines 
of communication open and share this information of 
vulnerabilities and of new threats among all the parties within this 
space. 

Mr. McCaul. Just in closing, Mr. Chairman, I think this is a 
great exercise and experience that we can really draw upon to have 
lessons learned but also use as a model for future cases. 
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And I want to commend the gentlemen again. Thank you. 

Mr. Langevin. I thank the gentleman. 

And briefly, to comment on the ranking member’s opening com- 
ments, in many ways there are elements of this being a good-news 
story. First of all, I commend the gentleman from Idaho National 
Labs who first detected the problem and then brought it to the at- 
tention of the Congress and also Department of Homeland Secu- 
rity. And then the Department of Homeland Security did put in 
place the Tiger Teams to try to address this. 

Where we want to make sure this continues to be a good-news 
story is that we actually, in coming up with the mitigation strate- 
gies, that we see these strategies actually implemented. We need 
to have a high degree of confidence that when something of this se- 
riousness and magnitude is identified, mitigation procedures are 
prescribed, that there is follow-through and not left to just hoping 
that it is not going to happen them or a particular sector; that they 
actually take it seriously, and that the electric or gas or oil sectors 
actually follow through and implement the strategies. 

With that, the Chair now recognizes other members for questions 
they may wish to ask of the witnesses. In accordance with our com- 
mittee rules and practice, I will now recognize members who were 
present at the start of the hearing, based on the seniority on the 
subcommittee, alternating between minority and majority. Those 
members coming later will be recognized in order of their arrival. 

With that, the Chair now recognizes the gentleman from New 
Jersey for Spminutes. 

Mr. Pascrell. Thank you, Mr. Chairman. 

Mr. Garcia, a cybersecurity attack on our energy grid is certainly 
one of the emerging threats and security vulnerabilities that need 
to be thoroughly studied, addressed through the proper security 
regulations to hear what the private sector has to say about it, to 
hear what regulations or recommendations will come out of the 
Federal Government, and so we can have a meeting of the minds. 
We are not trying to impose, but we want to protect. 

So I have had many concerns about the management over at the 
Department of Homeland Security. Specifically, this committee has 
discovered that, as was mentioned earlier, many of the most impor- 
tant areas within the Department are unfilled at the senior-man- 
agement level, leaving critical security areas with what we would 
consider to be less-than-adequate leadership. 

My question is, how many program managers have been in 
charge of the Control Systems Security Program in the last 3 
years? 

Mr. Garcia. Congressman, I am not certain of the number. Our 
last control systems manager had been with us for more than a 
year. 

But we at CSMC and my component. National Cybersecurity Di- 
vision, take very seriously our need to retain our talent and to re- 
cruit additional talents. I am happy to report that we are aggres- 
sively filling the control systems director position. The job has been 
posted, and we will move aggressively to fill that, as with the other 
vacancies in the organization. 

Mr. Pascrell. Would you get back to me on that? 

Mr. Garcia. I would be happy to. Thank you. 
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Mr. Pascrell. How much is being spent on the control systems 
security at DHS? 

Mr. Garcia. Our fiscal year 2008 budget is currently $12 million. 
And it is important to note that we are leveraging the resources 
not just within the control systems program but across NCSD that 
provides input and expertise with other aspects of the control sys- 
tems issue. And additionally, we are leveraging our partnership 
with 

Mr. Pascrell. What was the 2007 budget, fiscal year budget? 

Mr. Garcia. I will have to get back to you on that number. It 
does represent an increase. 

Mr. Pascrell. Who was in charge of this program, and at what 
grade is this person? 

Mr. Garcia. This is a GS-15, and this is the individual we ex- 
pect to have the post filled, backfilled very quickly. 

Mr. Pascrell. There is no person there? 

Mr. Garcia. That person left for personal reasons; that is correct. 

Mr. Pascrell. Mr. Chairman — 

Mr. Garcia. It is now being handled by our acting director of the 
National Cybersecurity Division. 

Mr. Pascrell. My last question is this. DHS issued regulations 
in 2007 on chemical security. This committee, on a bipartisan 
basis, was very clear on what it wanted. It also added a cybersecu- 
rity component to existing regulations. Was your office consulted on 
this? 

Mr. Garcia. Oh, absolutely. We were part of that development, 
and we currently are working with all the private sectors to con- 
sider specific mitigation strategies for all of their control systems, 
rather than try to apply a regulatory overlay on all of the other 

Mr. Pascrell. So, at least in this area, one hand knows what 
the other is doing? 

Mr. Garcia. That is correct. 

Mr. Pascrell. That is healthy. That is very healthy. 

Mr. Wilshusen, in your statement, you asserted that the annual 
cost to the energy sector for maintaining control systems, to main- 
tain the networks, to maintaining equipment and personnel, was 
around $400 million. You said that in your statement. 

Can you speculate how much more would it cost if the proposed 
recommendations in the National Science and Tech Standards — 
that is 800-53 — if they were adopted instead of the NERC-proposed 
standards, do you have any idea what the difference in cost would 
be? And is that relevant? 

Mr. Wilshusen. No, sir, I don’t have that information on how 
much that would cost. 

Mr. Pascrell. Is it relevant? 

Mr. Wilshusen. Certainly. Relevant in terms of its consideration 
in implementation of controls, because when you determine wheth- 
er or not to implement a particular control, you need to make sure 
that that control cost-effectively will reduce the risk to an accept- 
able level. And so, certainly, cost is a factor. 

Mr. Pascrell. So, if one set of standards implement — and I am 
giving an example here. Cost would be simply be one of the factors 
that would be involved to decide which one we would try to imple- 
ment. Is that a fair statement? 
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Mr. WiLSHUSEN. I would say cost is a factor in the determination 
of which controls to implement, sure. But so is the adverse impact 
or harm that could occur should that control not be implemented 
and such a vulnerability or weakness be exploited. 

Mr. Pascrell. Thank you very much. 

Thank you, Mr. Chairman. 

Mr. Langevin. The Chair now recognizes the gentlelady from 
Florida, Ms. Ginny Brown-Waite. 

Ms. Brown-Waite. Thank you very much. 

I still remember when we first learned about the problem, and 
I couldn’t help but think about whether it was TVA, with the dams, 
or even in Florida, where we have control structures that, you 
know, would have a wide range of repercussions if anything hap- 
pened. 

And I would like to address this to Mr. Wilshusen. While I un- 
derstand the grave risks facing our control grid, could you elabo- 
rate on how the countless power and energy providers would be im- 
pacted by having to comply? 

And I am sorry, you may have answered this before I got here. 
I apologize. 

Mr. Wilshusen. Well, one of the things — if they are now in com- 
pliance with the NERC reliability standards, and they were to try 
to go implement the controls to be in compliance with the NIST 
standards, because the NERC reliability standards contain just a 
subset of the NIST standards, it would impact them to the extent 
that they would need to implement additional controls in order to 
be in compliance with those standards. 

In some cases, it is also important to realize that the NIST 
standards and minimum security requirements, in certain cases, 
may not be appropriate or practical or feasible for certain control 
systems because of the environment that it is, but that 

Ms. Brown-Waite. Would you give me an example of one that 
it wouldn’t be appropriate for? 

Mr. Wilshusen. Here is one that the industry representatives 
have identified. Eor example, one would be having password con- 
trols over some of the control systems. Their thinking was that, in 
the event of an emergency, it is imperative that the operator be 
able to log on to their system and react immediately, and that the 
use of passwords could potentially disrupt that or make it more dif- 
ficult for that individual to log on in a timely manner. 

Ms. Brown-Waite. Are nuclear power plants — and I happen to 
have one in my district. Some people consider it a blessing; others 
consider it less of a blessing. Are nuclear power plants certainly at 
the top of the risk category? 

Mr. Wilshusen. I would say — well, it depends on which perspec- 
tive, but in terms of a security breach or vulnerability, I would say 
that they are probably near the top. But I really couldn’t say that 
without specific evidence that we haven’t really looked at that to 
see which of the industries are most at risk. 

Ms. Brown-Waite. Okay. I appreciate that. Thank you. 

And I yield back, Mr. Chairman. 

Mr. Langevin. I thank the gentlelady. 

The gentlelady from California, Ms. Lofgren, is recognized now 
for 5 minutes. 
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Ms. Lofgren. Thank you very much, Mr. Chairman, and to the 
witnesses. 

I just have a couple of questions. Actually, the GAO report 
makes me very anxious. One of the concerns that we have had here 
is our exposure in the cyher area. And that is why, when Mr. 
Thornberry was on this committee, he and I worked together, and 
it was really one of those high points of my career in Congress to 
work in such a collaborative fashion, in a bipartisan fashion, to cre- 
ate the position that you now hold, Mr. Garcia, with the idea that 
we really needed the kind of attention that this threat was not get- 
ting. 

And here is my concern, that the GAO really identifies the same 
deficiencies that the outside critics have identified in the scope of 
the NERC CIP standards and specifically on the interconnections 
and the possibility of cascading failures. 

Ms. Lofgren. [Continuing.] And so the question is, what are you 
going to do about it? What leadership are you going to show to 
make sure that these gaps are remedied? 

Mr. Garcia. First of all. Congresswoman, thank you very much. 
Thank you very much for creating the position that I now fill. I am 
very eager to demonstrate some very tangible accomplishments 
throughout my tenure here, and I think control systems rank 
amongst the highest. 

I think we have already shown tremendous progress in control 
systems across the board, not just in the electric and nuclear sec- 
tors, but in the other sectors that I have mentioned that we are 
now taking action on. And I go back to the point that as 85 to 90 
percent 

Ms. Lofgren. Could I interrupt to follow up on that point? Are 
you suggesting that the points that the GAO has made and that 
some of the outside — I see Mr. Weiss — I always see him on the air- 
plane — sitting in the audience — have made that you have already 
started the remedies on those and that you are well under way? 

Mr. Garcia. Are you talking about the electric sector specifically 
or just generally? 

Ms. Lofgren. Yes. 

Mr. Garcia. On the electric sector and through our private sector 
partners in the electric sector; and our Federal partners developed 
collectively mitigation strategies 

Ms. Lofgren. So the criticism that the GAO is making on the 
deficiencies in the NERC standards, that is no longer accurate? 

Mr. Garcia. On the specific standards, I think that the FERC 
witness coming up in the next panel will have more to discuss 
about specific standards. Our role at DHS is one as a coordinator, 
to try to bring together the various parties who 

Ms. Lofgren. Well, if I may, I don’t believe that is the case, and 
it is certainly not what we intended in Congress. Clearly, we have 
a collaborative and coordinating role to play, but part of the prob- 
lem is that we haven’t made any progress on the cybersecurity 
front, or haven’t for a long, long time; and we expect the Depart- 
ment to show some leadership. 

I mean, I don’t want to pick on the power industry, but this is 
true in any sector that is not the tech sector. They are looking at 
what they see, but they may not see the whole picture. And so that 
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is our job, to see the interconnections, to see the possibilities of 
interconnecting, cascading failures; and to insist that measures be 
taken to secure the cyber space that that sector may not see be- 
cause the public’s interest is larger than just their narrow interest. 
And I don’t mean to diminish their narrow interest, but we have 
a broader scope here. 

So the question really isn’t to FERC. It is to you. What are you 
going to do about it? 

Mr. Garcia. Absolutely, Congresswoman. We take very seriously 
every sector’s responsibility for securing their infrastructure. Ab- 
sent regulatory authority, we are relying on the framework devised 
in the National Infrastructure Protection Plan and their compo- 
nent, sector-specific plans and our partnerships with the Federal 
agencies that have specific responsibility, regulatory or otherwise, 
to specific sectors. 

Ms. Lofgren. Let me ask you this because my time is about to 
run out and we also have votes on the floor. 

I would like to get in follow-up to this meeting kind of where we 
are on the specific issues raised by the GAO and to the extent it 
is different from the outside critics; and then get from you your as- 
sessment of what you can do to meet the standard identified by 
GAO in terms of scope; and then, if you can’t do it with the tools 
that you currently have, recommend what additional tools you 
think would be necessary. 

Could you do that? 

Mr. Garcia. Yes, ma’am. We would be happy to come up and go 
through this in much more detail. 

Ms. Lofgren. Thank you very much. 

I thank you, Mr. Chairman. 

Mr. Langevin. I thank the gentlelady for her questions. And on 
that very point, we are in lockstep. I agree that you should have 
the tools to make sure that we have these strategies put in place 
and acted upon. And if not, whether it is — I am not at all satisfied 
that enough is being done here, and if we need to give additional 
tools either to DHS or FERC to make sure that — particularly, when 
if you are talking about actionable intelligence or information that 
needs to be acted on quickly — that the tools are in place and we 
actually make sure that they have them. So the steps — that the 
mitigation factors take place. 

So, with that, I am going to — since there are votes on, I am going 
to dismiss this panel. We will recess for about 20 minutes and then 
call up the second panel. 

I thank the witnesses for their testimony. 

And the subcommittee now stands in recess. 

[Recess.] 

Mr. Langevin. The subcommittee will come to order. Let me 
begin by thanking the second panel of witnesses for being here 
today. And let me just begin by introducing and welcoming Mr. Joe 
McClelland, the Director of Electric Reliability for the Federal En- 
ergy Regulatory Commission. Mr. McClelland was previously Direc- 
tor of the Division of Reliability at FERC since 2004. He came to 
the Commission with more than 20 years of experience in the elec- 
tric utility industry. 

Thank you for being here. 
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Our second witness is Mr. David Whiteley, the Executive Vice 
President of North American Electric Reliability Corporation. Mr. 
Whiteley is responsible for overseeing the performance of four 
NERC program standards: reliability, readiness training, education 
and personal certification, and members’ forums. Thank you for 
coming. 

And our third witness is Mr. Joe Weiss, Managing Partner of Ap- 
plied Control Solutions. Mr. Weiss is a nuclear engineer who spent 
more than 30 years working in the commercial power industry. He 
is a member of many groups working to improve the reliability and 
availability of critical infrastructures and their control systems. 

Without objection, the witnesses’ full statements will be inserted 
in the record. 

Mr. Langevin. Before I go to Mr. McClelland for his testimony, 
we had hoped to air a brief video before the start of the first panel, 
that just testified. The video was not ready. I am told that it is now 
ready to be shown. This will give members of the committee a vis- 
ual understanding of the degree of concern I and many others have 
and how serious the potential problem could be with respect to the 
control systems being corrupted. 

So, with that, I am going to ask the technical people to begin the 
video. I am told that everything is in order and should work. So, 
with that, we can start the video. 

[Video plays.] 

Mr. Langevin. Well, that just, as I said, puts a visual to how po- 
tentially serious this problem could be if not addressed quickly. 

I take this seriously; I know the ranking member does as well, 
and we are going to do all we can to exercise maximum oversight 
to ensure the worst-case scenario that was potentially spoken about 
in that piece we just saw never occurs. 

With that, I now ask each witness to summarize their statement 
for 5 minutes, beginning with Mr. McClelland. 

Mr. McClelland, thank you for your testimony and for being here 
today. Welcome. 

STATEMENT OF JOSEPH MCCLELLAND, DIRECTOR, OFFICE OF 

ELECTRIC RELIABILITY, FEDERAL ENERGY REGULATORY 

COMMISSION 

Mr. McClelland. Thank you, Mr. Chairman, Ranking Member 
McCaul and subcommittee members for providing this opportunity 
to appear today. 

I am the Director of the Federal Energy Regulatory Commis- 
sion’s newest office, the Office of Electric Reliability. My office’s 
mission is to help protect and improve the reliability and security 
of the Nation’s bulk power system under authority granted to the 
Commission in the Energy Policy Act of 2005. 

I am here today as a Commission staff witness. My remarks do 
not necessarily represent the views of the Commission or of any in- 
dividual commissioner. 

New section 215 of the Federal Power Act, or FPA, requires that 
the users, owners and operators of the Nation’s bulk power system 
abide by mandatory reliability standards. Under the new statutory 
framework, these standards are developed and proposed by the 
Electric Reliability Organization, or ERO, to the Commission. 
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Standards become mandatory only after they are approved by the 
Commission. 

To meet its obligations under section 215, the Commission has 
certified the North American Electric Reliability Corporation, or 
NERC, as the ERO. We have approved eight delegation agreements 
for the regional entities that will be assisting NERC in its efforts 
and approved 83 of 107 proposed reliability standards while simul- 
taneously directing that 56 of the approved standards be improved. 

The approved standards became mandatory on June 18, 2007. 
Violations of these new mandatory rules can trigger significant 
penalties and enforcement actions by the Commission itself, or 
more typically by the ERO, subject to the Commission’s oversight. 

Section 215 of the FPA specifically covers cybersecurity for the 
bulk power system. In August 2006, NERC proposed eight cyberse- 
curity standards for the Commission’s approval, requesting that 
auditable compliance not begin until mid-2009, continuing through 
2010. 

We have been reviewing NERC’s proposed cybersecurity stand- 
ards in our rulemaking proceeding, thereby engaging all of the af- 
fected industry and stakeholders. Using this process, the Commis- 
sion has issued both a staff preliminary assessment and a notice 
of proposed rulemaking, considering over 1,300 pages of comments 
from over 100 industry and stakeholder entities. 

Although the Commission has proposed to approve the standards 
in the Notice of Proposed Rulemaking, it has also expressed a need 
for immediate revisions to the standards, such as the elimination 
of the overly broad, quote, “reasonable business judgment,” end 
quote, approach and narrowing of the term, quote, “technical feasi- 
bility,” end quote. 

Stakeholder comments on the rulemaking proceeding have raised 
issues concerning equipment operating costs and the appropriate 
scope of industry discretion. Other commenters, such as Members 
of Congress, including members of this subcommittee, have asked 
that the Commission consider and incorporate features from the 
standards being developed by the National Institute of Standards 
and Technology, or NIST. The Commission currently is considering 
all the comments it has received. 

With respect to the NIST standards, I note that the Commission 
has indicated in the NOPR, or Notice of Proposed Rulemaking, that 
it expects the ERO to evaluate any provisions in the NIST stand- 
ards that would better protect the bulk power system. If there are 
NIST provisions that would improve cybersecurity protection, the 
Commission can order the ERO to initiate a standards development 
process, or the ERO on its own can initiate a standards develop- 
ment process to incorporate such NIST provisions in the mandatory 
reliability standards. 

In response to recent events and news reports, the Commission 
is examining its options for timely responses to urgent cybersecu- 
rity risks to the bulk power system. By law, the reliability stand- 
ards process used by the ERO has to provide for reasonable notice, 
the opportunity for public comment, due process, openness and bal- 
ance of interests in developing the standards. 

In practice, this has meant that the reliability standards pro- 
posed by the ERO are based on consensus from industry. Con- 
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sequently, the process is not nimble and can take years to develop 
proposed standards. 

The Commission is assessing ways to more promptly address ur- 
gent cybersecurity risks while protecting sensitive information in- 
volving national security. If the Commission determines that it 
needs additional authority to accomplish this task, it will rec- 
ommend appropriate legislation to meet its responsibilities under 
EPAct 2005. 

To protect the Nation’s bulk power system, the Commission is 
encountering new staffing and program needs. In particular, the 
Commission needs more engineering to review and help develop 
proposed reliability standards, conduct bulk power event analyses 
and investigate potential violations. The Commission has requested 
additional funds for 2008 to be recovered through the Commission’s 
self-funding process. I encourage you to support the Commission’s 
efforts to obtain more funding. 

In conclusion, I stress that the Commission is taking all the 
steps it can under its new reliability authority to protect the bulk 
power system and is dedicated to fulfilling Congress’ goals. 

Thank you again for the opportunity to testify today. And I 
would be happy to answer any questions that you may have. 

Mr. Langevin. Thank you, Mr. McClelland. 

[The statement of Mr. McClelland follows:] 

Prepared Statement of Joesph McClelland 

Mr. Chairman and Members of the Subcommittee: 

Thank you for this opportunity to appear before you to discuss the cyber threat 
to the electric grid’s control systems. My name is Joseph McClelland. I am the Di- 
rector of the new Office of Electric Reliability (OER) of the Federal Energy Regu- 
latory Commission (Commission). The OER’s mission is to help protect and improve 
the reliability and security of the Nation’s bulk-power system through effective regu- 
latory oversight as established in the Energy Policy Act of 2005 (EPAct 2005). I am 
here today as a Commission staff witness and my remarks do not necessarily rep- 
resent the views of the Commission or any individual Commissioner. 

My testimony summarizes the Commission’s recent efforts to improve the security 
of the Nation’s electric power system. Congress’s recent legislation has greatly ex- 
panded the Commission’s ability to anticipate and respond to cybersecurity threats 
to a critical component of the Nation’s infrastructure, the interstate bulk-power sys- 
tem. The Commission has met its statutory deadlines and provided a solid founda- 
tion for ongoing regulatory efforts. Ongoing efforts focus on the approval of Reli- 
ability Standards governing the planning and operation of the interstate bulk-power 
system as mandatory rules with appropriate penalties, subject to the Commission’s 
oversight and approval. 

The Commission continues to work with the North American Electric Reliability 
Corporation (NERC) to protect the bulk-power system from cybersecurity threats. 
NERC has proposed cybersecurity standards for the industry and the Commission 
has issued a notice of proposed rulemaking addressing these standards. The Com- 
mission is reviewing comments on these standards and is committed to ensuring 
that the resulting standards are consistent with and effectively implement rec- 
ommendations proposed in response to the 2003 blackout affecting the Northeast 
United States and Canada. 

The Commission is assessing its options for immediately and effectively address- 
ing urgent cybersecurity risks to the electric system. The Reliability Standards proc- 
ess, which focuses on consensus from industry representatives, typically takes con- 
siderable time to implement. If the Commission determines that its authority to 
promptly address cybersecurity risks is inadequate, it will seek additional legisla- 
tion. 

As the Commission meets its responsibilities under EPAct 2005 to protect the Na- 
tion’s bulk-power system, it is encountering new staffing and program needs. In par- 
ticular, the Commission needs to hire more engineers to review and enforce Reli- 
ability Standards affecting the hundreds of entities that use the bulk-power system. 
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Therefore, the Commission has requested additional budget authority for 2008, the 
costs of which would be recovered through the Commission’s existing self-funding 
process. 

Background 

In August 2005, Congress enacted EPAct 2005 entrusting the Commission with 
a major new responsibility to oversee mandatory, enforceable Reliability Standards 
for the electric grid. This authority is in section 215 of the Federal Power Act (FPA). 
Section 215 requires the Commission to select an Electric Reliability Organization 
(FRO). The FRO is responsible for proposing, for Commission review and approval. 
Reliability Standards or modifications to existing Reliability Standards to help pro- 
tect and improve the reliability of the Nation’s bulk-power system. The Reliability 
Standards apply to the users, owners and operators of the bulk-power system. The 
FRO also is authorized to impose, after notice and opportunity for a hearing, pen- 
alties for violations of the Reliability Standards, subject to Commission review. The 
FRO may delegate certain responsibilities to “Regional Entities,” subject to Commis- 
sion approval. 

The Commission may approve proposed Reliability Standards or modifications if 
it finds them “just, reasonable, not unduly discriminatory or preferential, and in the 
public interest.” If the Commission disapproves a proposed standard or modification, 
FPA section 215 requires the Commission to remand it to the FRO for further con- 
sideration. The Commission, upon its own motion or upon complaint, may direct the 
FRO to submit a proposed standard or modification on a specific matter. The Com- 
mission also may initiate enforcement on its own motion but, for most violations, 
will only review the enforcement actions of the FRO. 

The Commission is qualified to perform all of these tasks and, in anticipation of 
reliability legislation being passed, it established a reliability group at the agency 
even before the passage of EPAct 2005. Commission staff played a key role in the 
U.S.-Canada Power System Outage Task Force formed to investigate the August 
2003 blackout that affected eight states, one province and an estimated 50 million 
people in the U.S. and Canada. When the Task Force issued its report in April 2004 
(Blackout Report), the Commission acted quickly to implement the report’s rec- 
ommendations addressed to the Commission. For example, the Commission an- 
nounced that no new independent system operator or regional transmission organi- 
zation would be approved until its reliability capabilities were functional. The Com- 
mission also adopted a policy statement on several other issues, such as recovery 
of prudent reliability costs, cooperation with the States, and the interpretation of 
reliability-related provisions in transmission tariffs. On this last point, the Commis- 
sion stated that tariff requirements to follow “good utility practice” would include 
compliance with the then-voluntary standards developed by NERC’s predecessor, 
the North American Electric Reliability Council. 

With this experience, the Commission has been able to implement FPA section 
215 diligently. Within 180 days of enactment, the Commission adopted rules gov- 
erning the reliability program. In the summer of 2006, it approved NERC as the 
FRO. In March 2007, the Commission approved the first set of national mandatory 
and enforceable Reliability Standards. In April 2007, it approved eight regional dele- 
gation agreements to provide for development of new or modified standards and en- 
forcement of approved standards by Regional Entities. And, just last month, the 
Commission’s Division of Reliability in the Office of Energy Markets and Reliability 
was established as its own program office, the OER, to reflect the growing impor- 
tance of the Commission’s reliability responsibilities. 

In exercising its new authority, the Commission has interacted extensively with 
NERC and the industry. The Commission also has coordinated with other federal 
agencies, such as the Department of Homeland Security, the Department of Energy 
and the Nuclear Regulatory Commission. And, the Commission has established reg- 
ular communications with regulators from Canada and Mexico regarding reliability, 
since the North American bulk-power system is an interconnected continental sys- 
tem subject to the laws of three nations. 

The Commission’s Proposed Cybersecurity Regulations 

FPA section 215 defines “reliability standardfs]” as including requirements for the 
“reliable operation” of the bulk-power system and for “cybersecurity protection.” Sec- 
tion 215 defines reliable operation to mean operating the elements of the BPS with- 
in certain limits so instability, or uncontrolled separation, or cascading failures will 
not occur “as a result of a sudden disturbance, including a cybersecurity incident.” 
Section 215 also defines a “cybersecurity incident” as a “malicious act or suspicious 
event that disrupts, or was an attempt to disrupt, the operation of those program- 
mable electronic devices and communication networks including hardware, software 
and data that are essential to the reliable operation of the bulk power system.” 
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In 2003, before the passage of EPAct 2005, NERC approved the “Urgent Action 
1200” standard (UA 1200), the first comprehensive, although temporary, cybersecu- 
rity standard for the electric industry. This voluntary standard applied to control 
areas (i.e., balancing authorities responsible for ensuring that a specific area’s sup- 
ply matches demand at any moment in time), transmission owners and operators, 
and generation owners and operators that perform certain functions. Specifically, 
UA 1200 established a self-certification process relating to the security of system 
control centers. 

In May 2006, NERC approved eight new cybersecurity standards to supersede UA 
1200. These new standards, known as the Critical Infrastructure Protection (CIP) 
standards and discussed below, are broader in scope and applicability than UA 1200 
and, if approved by the Commission, would be mandatory. In August 2006, NERC 
submitted the new standards to the Commission for approval under EPA section 
215. Citing the expanded scope of facilities and entities covered by the CIP stand- 
ards, and the investment in security upgrades required in many cases, NERC pro- 
posed an implementation plan under which certain requirements would be 
“auditably compliant” by 2009 and the others would be so by 2010. 

In December 2006, the Commission issued an assessment by its staff of NERC’s 
proposed CIP standards, and allowed 60 days for public comments. The staffs as- 
sessment was limited to a technical review, and made no final determinations on 
compliance with EPA section 215’s legal requirements. 

After receiving and analyzing the nearly 500 pages of comments from 38 entities, 
the Commission issued a Notice of Proposed Rulemaking in July 2007 proposing to 
adopt the CIP standards subject to further comment from the public. The Commis- 
sion also proposed to concurrently direct NERC to develop modifications addressing 
specific concerns identified by the Commission. 

The eight CIP standards contain over 160 requirements. Generally, the CIP 
standards would require the following actions: 

Critical Cyber Asset Identification: requires the identification of an entity’s critical 
assets and critical cyber assets using a risk-based assessment methodology. 

Security Management Controls: requires an entity to develop and implement secu- 
rity management controls to protect critical cyber assets. 

Personnel and training: requires personnel with access to critical cyber assets to 
go through identity verification, criminal background checks and employee training. 

Electronic Security Perimeters: requires the identification and protection of elec- 
tronic security perimeters and access points. The security perimeters are to encom- 
pass the critical cyber assets. 

Physical Security of Critical Cyber Assets: requires the creation and maintenance 
of a physical security plan that ensures all cyber assets within an electronic security 
perimeter are kept in an identified physical security perimeter. 

Systems Security Management: requires an entity to define methods, processes, 
and procedures for securing the systems identified as critical cyber assets, as well 
as the non-critical cyber assets within the perimeter. 

Incident Reporting and Response Planning: requires the identification, classifica- 
tion and reporting of cyber security incidents related to critical cyber assets. 

Recovery Plans for Critical Cyber Assets: requires the establishment of recovery 
plans for critical cyber assets using established business continuity and disaster re- 
covery techniques and practices. 

Public comments comprising more than 800 pages from 69 entities on the Com- 
mission’s proposed actions were filed as of October 5. The Commission’s staff has 
begun reviewing these comments, and the Commission intends to take final action 
expeditiously. 

One of the Commission’s goals is to ensure that the cybersecurity standards are 
consistent with the lessons learned from the August 2003 blackout. Thirteen of the 
46 Blackout Report recommendations relate to cybersecurity. See the Blackout Re- 
port at pp. 163 — 69. They address topics such as strict control of physical and elec- 
tronic access to operationally sensitive equipment; capability to detect wireless and 
remote wireline intrusion and surveillance; and improvement and maintenance of 
cyber forensic and diagnostic capabilities. The Blackout Report recommendations 
are a sound basis for action. 

The Commission recognizes that the CIP standards must strike a reasonable bal- 
ance. Overly prescriptive standards may become a “one size fits all” solution despite 
the significant differences in system architecture, technology and risk profile. How- 
ever, CIP standards lacking sufficient detail will provide little useful direction, 
make compliance and enforcement difficult, allow flawed implementation and result 
in inadequate protection. 

A major concern with cybersecurity is the prevalence in the industry of “legacy 
equipment” which may not be readily adaptable for purposes of cybersecurity protec- 
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tion. If this equipment is left vulnerable, it could be the focal point of efforts to dis- 
rupt the grid. Replacing this equipment or retrofitting it to incorporate cybersecurity 
protection could be costly. But a successful cyber attack could damage our bulk- 
power system and economy in ways that cost far more. This risk often may justify 
retrofitting the legacy equipment, adding a perimeter of defensive security measures 
or replacing the equipment before its useful life ends. 

In its July 2007 Notice of Proposed Rulemaking, the Commission stated its con- 
cern with the breadth of discretion left to utilities by NERC’s proposed CIP stand- 
ards. For example, NERC’s standards state that utilities “should interpret and 
apply the Reliability Standard[s] using reasonable business judgment.” Similarly, 
the standards at times require certain steps “where technically feasible,” but this 
is defined as not requiring the utility “to replace any equipment in order to achieve 
compliance.” Also, NERC’s proposal would allow a utility at times not to take cer- 
tain action if the utility documents its “acceptance of risk.” The Commission pro- 
posed to direct NERC to modify the standards to remove the terms “reasonable busi- 
ness judgment” and “acceptance of risk” while narrowing “technically feasible.” 

For certain other requirements in the CIP standards, the Commission proposed 
to address this concern about discretion by requiring external oversight of utility de- 
cisions. This oversight could be provided by industry entities with a “wide-area 
view,” such as reliability coordinators or the Regional Entities subject to the review 
of the Commission. 

The National Institute of Standards and Technology (NIST) has commented that 
its cybersecurity standards are more advanced and could provide a model for im- 
provements to the CIP standards. NIST has recommended that the Commission con- 
sider a transition to standards identical to, consistent with, or based on NIST stand- 
ards and guidelines. The Commission’s proposal so far is to not require incorpora- 
tion of the NIST standards and guidelines. However, the Commission has said it 
would expect NERC to monitor the development and implementation of the NIST 
standards to determine if they would provide better protection. Certain federal enti- 
ties, such as the Tennessee Valley Authority and Western Area Power Administra- 
tion, are required to comply with both the NIST standards and the CIP standards, 
and thus may be able to provide unique insights on this issue. The Commission ex- 
pressed its expectation that NERC will seek and consider comments from these fed- 
eral entities on the effectiveness of the NIST standards versus the CIP standards. 
Any provisions in the NIST standards that will better protect the bulk-power system 
should subsequently be addressed in the standards development process as improve- 
ments to the CIP standards. In addition to this consideration, the Commission pro- 
poses to revisit this issue in future proceedings as part of a continuing evaluation 
of existing standards, the need for new standards, or as part of assessing NERC’s 
performance as the ERO. 

Confronting Urgent Risks 

The procedures used so far for adoption of Reliability Standards have allowed 
multiple opportunities for industry and public input and taken significant time, as 
explained below. However, urgent risks may at times require immediate action, and 
the Commission currently is exploring the scope of its authority under existing law 
to take swift and effective action to prevent opportunities for cyber attacks or ad- 
dress other critical matters. 

FPA section 215 relies on the ERO to develop and submit proposed Reliability 
Standards. NERC’s procedures for doing so allow extensive opportunity for industry 
comment, generally based on the procedures of the American National Standards 
Institute (ANSI). 'The NERC process is intended to develop consensus on both the 
need for the standard and on the substance of the proposed standard. Although in- 
clusive, the process is not nimble and can take years to develop standards for the 
Commission’s review. 

Key steps in the NERC process include: nomination of a proposed standard using 
a Standard Authorization Request (SAR); public posting of the SAR for comment; 
review of the comments by NERC staff; drafting or redrafting of the standard by 
an assigned team; public posting of the draft standard; field testing of the draft 
standard, if appropriate; formal balloting of the draft standard, with approval based 
on 75 percent of total votes and two-thirds of weighted industry sector votes; re-bal- 
loting, if negative votes are supported by specific comments; voting by NERC’s board 
of trustees; and an appeals mechanism to resolve any complaints about the stand- 
ards process. NERC-approved standards are then submitted to the Commission for 
its review. 

For the first set of Reliability Standards proposed by NERC and for the CIP 
standards currently under consideration, the Commission began its process by 
issuing a staff assessment of the proposed standards and allowing public comment 
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on the assessment. Based on its consideration of those comments, the Commission 
then issued a “Notice of Proposed Rulemaking” identifying the Commission’s pro- 
posed actions and allowing additional opportunities for public comment. After con- 
sidering these additional comments, the Commission will issue a “Final Rule,” 
adopting or modifying its proposed actions. 

Generally, the procedures used by NERC and the Commission are appropriate in 
allowing extensive opportunities for industry and public comment. The public and 
our economy depend critically on having a reliable supply of electricity, and Reli- 
ability Standards usually should be adopted only after thorough and open vetting 
of all relevant considerations. 

Certain circumstances, however, may require immediate action. If a significant 
vulnerability in the bulk-power system is identified, procedures used so far for adop- 
tion of Reliability Standards may take too long to implement corrective steps. Also, 
those procedures would widely publicize the vulnerability and the possible solutions, 
thus increasing the risk of hostile actions before the appropriate solutions are imple- 
mented. 

Recently, CNN broadcast a story alleging the existence of a cybervulnerability on 
the electric grid. The story included video of a small generating unit allegedly being 
damaged by a cyber attack, and also showed an economist stating that there could 
be a $700 billion dollar impact to our economy if generating facilities serving one- 
third of our Nation’s electric load were disabled for three months through such at- 
tacks. 

This story has prompted the Commission to reexamine its authority to quickly 
mitigate verified cybervulnerability risks and to protect security-sensitive informa- 
tion from inappropriate disclosure. If the Commission determines that it does not 
have adequate authority to promptly address cybersecurity risks and adequately 
protect security-sensitive information, or that its authority needs to be clarified, it 
will seek additional legislation. 

The Commission Needs More Funding for Reliability 

As noted above, the Commission has certified NERC as the ERO; approved the 
first set of mandatory and enforceable Reliability Standards (83 of NERC’s initial 
107 while calling for significant modifications to 56 of the 83); and approved delega- 
tion agreements between NERC and eight Regional Entities. With these steps, the 
Commission is well positioned to implement FPA section 215. However, more re- 
sources are needed by the Commission in all areas of reliability, including physical 
and cyber standards development, compliance and enforcement, investigation and 
analysis, and reports and assessments. In addition, the new Reliability Standards, 
including cybersecurity standards, will take significant work by the Commission, the 
ERO and the industry, and thus competition for experienced personnel, particularly 
engineers, is strong. Oversight of the reliability of the Nation’s bulk-power system 
is one of the most important functions ever undertaken by the Commission and the 
Congress’s budget support in providing necessary resources is critical. 

The Commission will continue to work with the ERO and industry to strengthen 
Reliability Standards. Our staff will monitor and engage in the standards develop- 
ment process to provide timely feedback to stakeholders. NERC and industry stake- 
holders have requested the Commission’s staff to be involved in the standards devel- 
opment process. We believe the process will work better if the Commission’s staff 
is involved from the beginning, to help ensure that necessary improvements to the 
standards are made timely and comport with Commission directives. This is impor- 
tant because section 215 does not give the Commission explicit authority to revise 
or write the standards. Instead, the Commission can only direct the ERO to submit 
a standard on a specific matter or remand a proposed standard to the ERO with 
directions for modification, and the standards development and revision process is 
lengthy. 

In addition. Commission staff will participate with the Regional Entities in a 
number of regular compliance audits and in analyzing selected incidents on the 
bulk-power system. Staff also will analyze and/or prepare reports on various issues 
concerning the reliability and security of the bulk-power system. 

The Commission has moved quickly to fulfill the Congressional intent of FPA sec- 
tion 215. However, after we completed the actions cited above, we came to under- 
stand better the resource needs for our new reliability responsibilities. For example, 
approximately 1500 U.S. utilities or users of the bulk-power system are now “reg- 
istered” by NERC to comply with the Reliability Standards. The Commission’s juris- 
diction to implement and enforce FPA section 215 for such a large number of enti- 
ties serving the entire United States bulk-power system is a significant responsi- 
bility and requires a significant commitment of resources. 
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Thus, in June of this year, the Commission’s Chairman wrote to the Chairmen 
and Ranking Members of the House and Senate Appropriations Committees, seek- 
ing an additional $9 million for our reliability work in fiscal year 2008. This would 
provide for an additional 55 Full-Time Equivalents (FTEs) to support its reliability 
program. These FTEs would consist primarily of electrical engineers, power system 
experts, auditors and lawyers. The Commission’s Chairman also asked for author- 
ization to hire electrical engineers non-competitively up to the GS-15 level, and to 
hire six additional executive senior level (SL) staff in support of its reliability pro- 
gram. As you may know, the Commission is a self-supporting agency and would re- 
cover the additional appropriations through fees and annual charges, as it does all 
of its costs, and will operate at no net cost to the taxpayer. I encourage you to sup- 
port these requests by the Commission. 

Conclusion 

I stress that the Commission is taking all the steps it can to protect the bulk- 
power system and is dedicated to fulfilling Congress’s goals. Thank you again for 
the opportunity to testify today. I would be happy to answer any questions you may 
have. 

Mr. Langevin. The Chair now recognizes Mr. Whiteley to sum- 
marize your statement for 5 minutes. 

STATEMENT OF DAVID WHITELEY, EXECUTIVE VICE 

PRESIDENT, NORTH AMERICAN ELECTRIC RELIABILITY 

CORPORATION 

Mr. Whiteley. Thank you, Mr. Chairman, Ranking Member 
McCaul and members of the subcommittee. I am pleased to appear 
on behalf of the North American Electric Reliability Corporation to 
explain how we and the electric industry are working to protect the 
security of the control systems of the bulk power grid. 

My comments this afternoon will focus on three points: first, that 
NERC takes very seriously its responsibility in protecting the over- 
all reliability of the bulk power system; second, that NERC’s crit- 
ical infrastructure protection, or CIP, reliability standards will en- 
hance the cybersecurity of control systems and grid reliability; and 
third, that continuous improvement in NERC’s reliability stand- 
ards will allow for further coordination with cybersecurity stand- 
ards and guidelines, such as the NIST guidelines, that are relevant 
for control systems. 

NERC was established in 1968 with a mission to develop and im- 
plement standards to ensure the reliable operation of the bulk 
power system in North America. When Congress passed the Energy 
Policy Act of 2005, it codified this responsibility in the Federal 
Power Act, and Congress charged FERC with certifying an Electric 
Reliability Organization, or ERO, that will develop and enforce reli- 
ability standards to provide for the reliable operation of the bulk 
power system but only the bulk power system. 

NERC is committed to exercising to the fullest extent the author- 
ity to ensure grid reliability within the limits provided in the law. 

The Energy Policy Act expressly excluded local distribution facili- 
ties from the definition of bulk power system. That said, NERC has 
worked diligently to implement the reliability authority as FERC’s 
certified ERO. 

The system of voluntary standards administered by NERC for 
more than 30 years was replaced on June 18 with a new set of 
mandatory reliability standards applicable to all users, owners and 
operators of the bulk power system. 

NERC realizes that cybersecurity of grid control systems is an 
important element of the overall reliability of the system and has 
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been an increasing priority for every sector of the U.S. economy 
since the turn of the century. NERC has recognized and responded 
to this challenge first through the voluntary cybersecurity standard 
and now through proposed mandatory CIP reliability standards. 
FERC approval of the standards, along with parallel action by Ca- 
nadian authorities, will enhance the reliability of the transmission 
grid in North America. These standards will improve the resiliency 
of control systems’ cyber assets and increase the ability of these 
systems to withstand cyber-based attacks. Cybersecurity require- 
ments will be applied to functions and to companies that have 
never been subject to standards in the past. 

In the course of developing the CIP standards, NERC evaluated 
NIST’s ongoing work to apply its recommended security controls for 
Federal information systems along with other NIST work to the 
bulk power system. NERC determined, and FERC agreed, that the 
NIST guidelines cannot substitute for reliability standards devel- 
oped specifically for the bulk power grid. The existing guidelines 
from NIST for information security are not directly applicable to 
control systems. 

NIST has continued to work in this area and has released addi- 
tional draft guidance. However, because mandatory cybersecurity 
standards to secure grid reliability are needed now, issuance of the 
CIP reliability standards could not be delayed in order to await 
completion of the NIST process. In addition, the substitution of 
NIST guideline development for information systems into a manda- 
tory reliability standard for electric grid control systems would not 
meet the requirements of the Federal Power Act that governed the 
process and procedures developed by NERC. 

Another consideration is that the bulk power system is inter- 
connected within North America. This means that the bulk power 
system reliability standards must also be recognized in Canada, 
and the NERC standards development process requires Canadian 
input. Because the NIST guideline development process does not 
have to take into account the international aspect of the bulk 
power grid, they would not necessarily be applicable for cross-bor- 
der application. 

We will evaluate how all of our reliability standards work in 
practice, will monitor industry and technology developments and 
determine on an ongoing basis whether these standards should be 
improved or new standards should be developed. 

In summary, the key to improving the reliability of the North 
American power system is to put good standards in place as soon 
as possible and then make them better. The CIP reliability stand- 
ards are a sound starting point for the electric industry, and with 
regard to cybersecurity issues, a sound starting point as well. They 
can and should be made effective promptly. 

This concludes my prepared remarks, and I look forward to an- 
swering your questions. 

Mr. Langevin. Thank you, Mr. Whiteley. 

[The statement of Mr. Whiteley follows:] 
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Prepared Statement of David A. Whiteley 

Mr. Chairman and Members of the Subcommittee, the North American Electric 
Reliability Corporation ^ (“NERC”) is pleased to provide this testimony on how we 
and the electric industry are working to protect the security of the control systems 
for the bulk power grid throughout North America pursuant to the authority set 
forth in Section 215 of the Eederal Power Act (“FPA”), as enacted through the En- 
ergy Policy Act of 2005 (“EPAct 2005”)-^ Protecting the overall reliability of the bulk 
power system, including ensuring the security and reliability of grid control systems, 
has been a high priority for NERC since well before the enactment of EPAct 2005, 
and we take this matter very seriously. As the Committee is aware, under the au- 
thority of EPA Section 215, NERC has proposed eight Critical Infrastructure Protec- 
tion Reliability Standards for approval by the Eederal Energy Regulatory Commis- 
sion (“EERC” or “Commission”). FERC approval of the standards that NERC has 
proposed in this area, along with parallel action by appropriate governmental au- 
thorities in Canada, will enhance the cybersecurity of these control systems and the 
reliability of the interconnected electric transmission grid. 

EXECUTIVE SUMMARY 

Cyber security of control systems is an increasing priority for every sector of the 
U.S. economy. On behalf of the electric power sector, NERC has recognized and re- 
sponded to this challenge, first through a voluntary cybersecurity standard and now 
through proposed mandatory Critical Infrastructure Protection (“CIP”) Reliability 
Standards for the bulk power grid. These mandatory standards are intended to as- 
sure that the electricity industry will devote the necessary organizational resources 
to securing control systems, and that the industry will identify, respond to and re- 
port cyber security incidents related to critical cyber assets. 

Since its establishment in 1968, NERC’s mission has been the development and 
implementation of standards to ensure the reliable operation of the interconnected 
North American bulk power electric grid in the U.S. and Canada and Mexico. The 
system of voluntary standards administered by NERC for more than 30 years was 
replaced on June 18, 2007, with a new set of mandatory Reliability Standards appli- 
cable to all users, owners and operators of the “bulk power system.” NERC stands 
ready to take additional steps as warranted to protect the reliability and cybersecu- 
rity of the grid. 

Mandatory and enforceable Reliability Standards under Section 215 of the FPA 
are to provide for the reliable operation of the bulk power system only. Section 215 
expressly excludes local distribution facilities from the definition of “bulk power sys- 
tem.” Moreover, Section 215 does not extend any authority for the regulation of reli- 
ability or cybersecurity beyond that which is necessary for reliable operations of the 
transmission grid. While critical infrastructures in various sectors of the U.S. econ- 
omy are dependent upon the bulk power system, NERC’s authority to propose and 
enforce reliability standards is confined to a single sector of the economy. 

We will evaluate how all of our Reliability Standards work in practice, monitor 
industry and technology developments, and determine on an ongoing basis whether 
these Standards should be improved, or new standards should be promulgated. The 
key to improving the reliability of the North American bulk power system is to put 
in place good standards, as soon as possible. The CIP Reliability Standards are a 
sound starting point for the electric industry. They can and should be made effective 
promptly so that they can be implemented now. 

In the course of developing the CIP Reliability Standards, NERC evaluated the 
National Institute of Standards and Technology’s (“NIST”) ongoing work to apply its 
Special Publication (SP) 800-53, Recommended Security Controls for Federal Infor- 
mation Systems, to control systems, and other work underway at NIST to develop 
guidance on securing control systems. However, the need for mandatory cybersecu- 
rity standards to secure grid reliability is immediate, and issuance of the CIP Reli- 
ability Standards could not be delayed in order to await completion of the NIST 
process. 

Importantly, bulk power system reliability standards also must be acceptable to 
regulators in Canada and Mexico. We are not addressing only U.S. facilities with 
these standards. The NERC standards development process provides a carefully 
crafted mechanism designed to ensure that final standards proposals have been de- 


^NERC is the corporate successor to the North American Electric Reliability Council, also 
called “NERC,” formed to serve as the electric reliability organization (“ERO”) authorized by 
Section 215 of the FPA. 

2 Energy Policy Act of 2005, Pub. L. No. 109-58, Title XII, Subtitle A, 119 Stat. 594, 941 
(2005). 
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veloped with Canadian (and Mexican, where appropriate) input. Because the NIST 
guideline development process does not have to take into account the international 
aspect of the hulk power grid, the U.S. government standards for U.S. government 
facilities resulting from that process would not necessarily he acceptable. 

Moreover, there are also important substantive and process-related reasons why 
any future final NIST guidelines cannot substitute for Reliability Standards devel- 
oped specifically for the bulk power grid. First, the guidelines available from NIST 
for information security when the CIP Reliability Standards were being developed 
were not appropriate for control systems. Second, Section 215 of the FPA sets forth 
requirements for the process and procedures through which NERC, as the ERO, 
may establish Reliability Standards. FERC has approved the NERC standards-set- 
ting process. The conversion of a NIST guideline developed for information systems 
directly into a mandatory Reliability Standard for electric grid control systems 
would not comply with the statutory procedural requirements under which NERC 
operates. 

NERC will continue to monitor the progress of the NIST process, and as CIP Reli- 
ability Standards continue to evolve, there will be future opportunities to continue 
to reflect NIST documents and guidance as appropriate. 

I. BACKGROUND 


A. NERC. 

NERC’s mission is to ensure the bulk power system in North America is reliable. 
To achieve this objective, NERC develops and enforces reliability standards; mon- 
itors the bulk power system; assesses and reports on future adequacy; evaluates 
owners, operators, and users for reliability preparedness; and educates, trains and 
certifies industry personnel. NERC is a self-regulatory organization that relies on 
the diverse and collective expertise of industry participants. FERC certified NERC 
as the electric reliability organization (“ERO”) in July 2006.^ 

Because Reliability Standards are applicable to the entire, interconnected North 
American bulk power system, NERC is subject to oversight by the governmental au- 
thorities in both Canada and the United States. In the U.S., with oversight from 
FERC, as of June 18, 2007, NERC has legal authority to enforce reliability stand- 
ards applicable to all owners, operators, and users of the bulk power system, rather 
than relying on voluntary compliance. NERC is seeking similar recognition by gov- 
ernmental authorities in Canada, including eight provinces and the National Energy 
Board, and will seek recognition in Mexico at the appropriate time. 

B. Statutory Authority Over Bulk Power System Reliability. 

Section 215 of the Federal Power Act establishes the framework for mandatory 
and enforceable Reliability Standards applicable to all users, owners and operators 
of the bulk power system. Section 215 assigns to the Commission the duties of ap- 
proving and enforcing rules to ensure the reliability of the Nation’s bulk power sys- 
tem. Section 215 requires the Commission to issue rules for the certification of an 
ERO charged with developing and enforcing mandatory Reliability Standards, sub- 
ject to Commission approval. Section 215 also gives the Commission the regulatory 
responsibility to approve standards that protect the reliability of the bulk power sys- 
tem. 

Consistent with the law, the development and enforcement of Reliability Stand- 
ards is now the responsibility of the ERO. As noted above, FERC’s certification of 
NERC as the ERO places this responsibility squarely on NERC. However, NERC’s 
authority pursuant to Section 215 relates solely to ensuring the reliability of the 
bulk power system. FPA Section 215(a)(1) defines the term “bulk power system” to 
mean 

(A) facilities and control systems necessary for operating an interconnected elec- 
tric energy transmission network (or any portion thereof); and 

(B) electric energy from generation facilities needed to maintain transmission 
system reliability. 

The statutory definition expressly excludes “facilities used in the local distribution 
of electric energy.” 

FPA Section 215 defines the term “Reliability Standard” to mean: 

a requirement, approved by the Commission. . .to provide for reliable operation 
of the bulk-power system. The term includes requirements for the operation of exist- 
ing bulk-power system facilities, including cybersecurity protection, and the design 
of planned additions or modifications to such facilities to the extent necessary to 


^See Order Certifying North American Electric Reliability Corporation as the Electric Reli- 
ability Organization and Ordering Compliance Filing, 116 FERC H 61,062 (2006). 
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provide for reliable operation of the bulk-power system, but the term does not in- 
clude any requirement to enlarge such facilities or to construct new transmission 
capacity or generation capacity. 

FPA Section 215(a)(3). Under FPA Section 215(a)(4), “reliable operation,” as used 
in the definition of Reliability Standard, means operating the elements of the bulk- 
power system within equipment and electric system thermal, voltage and stability 
limits so that instability, uncontrolled separation, or cascading failures of such sys- 
tem will not occur as a result of a sudden disturbance, including a cybersecurity in- 
cident, or unanticipated failure of system elements. 

The statute also defines a “cybersecurity incident” that the Reliability Standards 
developed by the ERO are to guard against: 

“cybersecurity incident” means a malicious act or suspicious event that disrupts, 
or was an attempt to disrupt, the operation of those programmable electronic de- 
vices and communication networks including hardware, software and data that are 
essential to the reliable operation of the bulk power system. 

FPA Section 215(a)(8) (emphasis supplied). 

Congress spent eight years considering the need for reliability legislation and re- 
fining the legislative lan^age, choosing its words carefully to be very specific about 
the extent of and limitations on the jurisdiction of FERC and the ERO with respect 
to enforceable reliability standards. Congress also was clear that it wanted to cap- 
ture the expertise of the industry in developing Reliability Standards and in moni- 
toring and enforcing compliance with Standards through an audited self-regulatory 
system. Eor this reason, and because Reliability Standards apply not only in the 
U.S. but also in Canada, EERC’s role is one of approving standards, not developing 
them in the first place, and in overseeing the activities of the ERO. FPA Section 
215(d)(2) provides that in executing its responsibilities to review, approve and en- 
force mandatory reliability standards, the Commission is authorized to approve 
those proposed standards that the Commission finds are just, reasonable, not un- 
duly discriminatory or preferential, and in the public interest. Moreover, the Com- 
mission “shall give due weight to the technical expertise of the Electric Reliability 
Organization with respect to the content of a proposed reliability standard. . . .” 
Eurther, the statute requires that in applying its expertise and developing Reli- 
ability Standards, the ERO certified hy the Commission must have established rules 
that “provide for reasonable notice and opportunity for public comment, due process, 
openness, and balance of interests in developing reliability standards. . . .” See FPA 
section 215(c)(2)(D). 

II. RESPONSE TO ISSUES IDENTIFIED BY THE COMMITTEE 

A. NERC’s Authority To Prescribe Critical Infrastructure Protection 
Rules Is Limited To The Electric Power Sector Only And Does Not Extend 
To Regulation Of Distribution Systems Or Other Infrastructures. 

As described above, the authority granted to the ERO pursuant to Section 215 of 
the Federal Power Act is not unlimited. FPA Section 215 does not convey authority 
to apply mandatory and enforceable reliability standards to the distribution system. 
The authority of the ERO extends only to elements of the bulk power system as de- 
fined in the statute. The only entities that under the law must comply with ERO- 
developed reliability standards are “users, owners and operators of the bulk-power 
system.” Subject to FERC’s approval, NERC has developed a compliance registry 
that identifies these entities, consistent with the statutory requirements. 

The standards that NERC has proposed to the Commission are consistent with 
Section 215 of the EPA. We believe those standards, when taken as a whole and 
as they develop over time, will continue to provide a level of reliability that is com- 
mensurate with the statutory requirements. 

B. The CIP Reliability Standards Were Developed Through A Rigorous 
Process That Took The NIST Guidance Into Account. 

Section 39.5(a) of the Commission’s regulations requires the ERO to file with the 
Commission for approval each reliability standard the ERO proposes to become 
mandatory and enforceable in the United States, and each proposed modification to 
a reliability standard. NERC and the Commission have made substantial progress 
in proposing and approving reliability standards to be mandatory and enforceable 
in the United States. NERC filed a petition for approval of 102 existing Reliability 
Standards in FERC Docket No. RM06-16 on April 4, 2006. NERC filed a second pe- 
tition for the approval of proposed reliability standards August 28, 2006, submitting 
16 new standards for approval and revisions to 11 of the reliability standards pre- 
viously submitted. Of the 16 new standards submitted, eight were Critical Infra- 
structure Protection cyber security standards. 
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On December 11, 2006, the Commission Staff issued an assessment of the cyber 
security standards as a basis to solicit comments on those proposed standards. On 
July 20, 2007, the Commission issued a Notice of Proposed Rulemaking (“NOPR”) 
generally proposing to approve the CIP Reliability Standards as mandatory and en- 
forceable, while also proposing to require NERC to make specific modifications to 
certain of the standards.'^ The deadline for comments on the NOPR was October 5, 
2007, and the Commission has received approximately 100 comments on the staff 
assessment and the proposed standards. 

1. Background of Proposed Cyber Security Standards. 

The initial work on the proposed cyber security standards dates back to 2002 
when NERC’s Critical Infrastructure Protection Advisory Group (“CIPAG”) ® drafted 
cyber security language that ultimately appeared in Appendix G of the Commis- 
sion’s “Standard Market Design’ NOPR.® Since then, NERC has continued to raise 
the bar on cyber security, first by adopting Cyber Security Urgent Action Standard 
1200 in 2003,'^ and again with the proposed standards filed with the Commission 
in August 2006. 

Reflecting Congress’s objective in FPA Section 215 that industry expertise should 
be brought to bear in the development of Reliability Standards, the proposed cyber 
security standards have been crafted with significant industry input by experts in 
the area and a debate of key issues through a process accredited by the American 
National Standards Institute (“ANSI”). The Standard Authorization Request (“SAR”) 
for the cyher security standards was submitted to NERC on May 2, 2003. After two 
public comment periods, the industry reached a consensus on the scope and jus- 
tification for the standards. The Standards Authorization Committee (“SAC”) ap- 
pointed a drafting team of security experts to begin development of these standards 
in May 2004. 

Drafting team members brought significant experience and expertise from a broad 
spectrum of security related disciplines including information technology security, 
physical security, compliance auditing, personnel and training, energy management 
systems (“EMS”), and system control and data acquisition (“SCADA”) system oper- 
ations. Drafting team members also brought expert knowledge of existing govern- 
ment regulations affecting security such as Sarbanes-Oxley and the Federal Infor- 
mation Security Management Act of 2002 (“FISMA”), as well as existing security re- 
lated standards such as International Standards Organization (“ISO”) Standard 
17799 and the hody of work promulgated by NIST. A number of members of the 
drafting team held professional security certifications. Membership on the drafting 
team fairly represented ownership segments in the electric industry and a balance 
between U.S. and Canadian participation. 


"^Mandatory Reliability Standards for Critical Infrastructure Protection, Docket No. RM06— 22, 
120 FERC I 61,077 (2007). FERC’s NOPR described the proposed CIP Reliability Standards as 
“the most thorough attempt to date to address cyber security issues that relate to the Bulk- 
Power System.” NOPR, P 13. Given the nature of the cyber security threat, the Commission ac- 
knowledged that “cyber security strategies must comprise a layered, interwoven approach to 
vigilantly protect the Bulk-Power System against evolving cyber security threats.” NOPR, P 15. 
FERC proposed to approve NERC’s proposed Implementation Plan for the CIP Reliability Stand- 
ards, which sets forth “a timeline by calendar quarters for completing various tasks and pre- 
scribes milestones for when a responsible entity must: (1) “begin work;” (2) “be substantially 
compliant” with a requirement; (3) “be compliant” with a requirement; and (4) “be auditably 
compliant” with a requirement.” NOPR, PP 43,47. FERC also proposed to approve the 162 pro- 
posed Violation Risk Factor assignments proposed by NERC that correspond to the require- 
ments of the CIP Reliability Standards and to direct NERC to revise 43 of them, as well as 
to assign Violation Risk Factors to additional requirements under the CIP Reliability Standards. 
NOPR, P 325. Violation Risk Factors indicate the potential or expected impact to the reliability 
of the Bulk-Power System of the violation of a particular Reliability Standard requirement. Vio- 
lation Risk Factors are used by NERC in setting penalty amounts for violations of a Reliability 
Standard. 

^The CIPAG was a predecessor organization to NERC’s current Critical Infrastructure Protec- 
tion Committee (“CIPC”). 

^Remedying Undue Discrimination through Open Access Transmission Service and Standard 
Electricity Market Design, Notice of Proposed Rulemaking, 67 Fed. Reg. 55,452 (Aug. 29, 2002), 
FERC Stats. & Regs. I 32,563 (2002). The Standard Market Design NOPR was never finalized. 

Cyber Security Urgent Action Standard 1200 was a voluntary standard that applied to con- 
trol areas, transmission owners and operators, and generation owners and operators performing 
certain specific functions. The voluntary standard established a self-certification process relating 
to the security of system control centers of covered entities. The Urgent Action 1200 standard 
was effective on a voluntary basis until June 1, 2006, when it was replaced by the eight CIP 
Reliability Standards that are the subject of the current FERC rulemaking. 
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Throughout the development process, the drafting team insisted on looking be- 
yond generally accepted “best practices.” They sought to establish relevant, thor- 
ough requirements with unambiguous measures for determining compliance. Three 
versions of the cyber security standards were posted to solicit input from the indus- 
try and other interested parties. More than 2,500 pages of comments and responses 
to the comments were provided in response to the three postings of the draft stand- 
ards. The fourth and final version was submitted to ballot of the stakeholders. The 
number and volume of comments received represented an extraordinary level of in- 
volvement by the industry during the development process. 

2. NERC’s CIP Reliability Standards Proposal. 

In the August 2006 submission to FERC, NERC proposed eight new cybersecurity 
standards (CIP-002-1 to CIP-009-1) to provide a comprehensive set of require- 
ments to protect the bulk power system from malicious cyber attacks. Because there 
are unique aspects of cyber protection for each entity and its assets, the standards 
require bulk power system owners, operators, and users to step through a sequence 
of establishing a risk-based vulnerability assessment method and using that method 
to identify and prioritize critical assets and critical cyber assets. Once the critical 
cyber assets are identified, the standards require the responsible entities to estab- 
lish plans, protocols, and controls to safeguard physical and electronic access, to 
train personnel on security matters, to report security incidents, and to be prepared 
for recovery actions. The proposed cyber security standards propose the most com- 
prehensive set of requirements ever utilized on a widespread basis in the electric 
industry. 

Because of the expanded scope of facilities and entities covered by these stand- 
ards, and the investment in security upgrades required in many cases, the imple- 
mentation plan calls for a three-year phase-in to achieve full compliance with all 
requirements. The transition builds progressively from the requirements that were 
previously in place with the 1200 Urgent Action Standard. In other words, the in- 
dustry is improving its security measures in stages from the level established in 
2003 with the interim standard to an extraordinarily robust set of auditable require- 
ments by end of year 2009. 

The proposed standards will apply to 11 categories of “Responsible Entities,” in- 
cluding NERC itself, the Regional Reliability Entities, reliability coordinators [which 
may include Regional Transmission Organizations or Independent System Opera- 
tors], balancing authorities, interchange authorities, transmission service providers, 
transmission owners, transmission operators, generator owners, generator operators, 
and load serving entities. As set forth in the NOPR, the proposed standards address: 

• CIP-002-1 — Cyber Security — Critical Cyber Asset Identification: 
Requires a responsible entity to identify its critical assets and critical cyber as- 
sets using a risk-based assessment methodology. 

• CIP-003-1 — Cyber Security — Security Management Controls: 

Requires a responsible entity to develop and implement security management 
controls to protect critical cyber assets identified pursuant to CIP-002-1. 

• CIP-004-1 — Cyber Security — Personnel & Training: 

Requires personnel with access to critical cyber assets to have an identity 
verification and a criminal check. Also requires employee training. 

• CIP-005-1 — Cyber Security — Electronic Security Perimeters: 

Requires the identification and protection of an electronic security perimeter 
and access points. The electronic security perimeter is to encompass the critical 
cyber assets identified pursuant to the risk-based assessment methodology re- 
quired by CIP-002-1. 

• CIP-006-1 — Cyber Security — Physical Security of Critical Cyber As- 
sets: 

Requires a responsible entity to create and maintain a physical security plan 
that ensures tbat all cyber assets within an electronic security perimeter are 
kept in an identified physical security perimeter. 

• ClP-007-1 — Cyber Security — Systems Security Management: 

Requires a responsible entity to define methods, processes, and procedures for 
securing the systems identified as critical cyber assets, as well as the non-crit- 
ical cyber assets within an electronic security perimeter. 

• CIP-008-1 — Cyber Security — Incident Reporting and Response Plan- 
ning: 

Requires a responsible entity to identify, classify, respond to, and report cyber 
security incidents related to critical cyber assets. 

• CIP-009-1 — Cyber Security — Recovery Plans for Critical Cyber As- 
sets: 
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Requires the establishment of recovery plans for critical cyber assets using es- 
tablished business continuity and disaster recovery techniques and practices. 

The cyber security standards proposed by NERC provide firm requirements that 
can be implemented by all participants in the electricity sector regardless of size, 
staffing levels, or levels of sophistication. Some members of the electricity sector al- 
ready meet or exceed the proposed standards. However, the standards may be a sig- 
nificant burden on some entities that have not heretofore been required to imple- 
ment cyber security programs. Throughout the development process, the drafting 
team attempted to push the bar beyond the generally accepted industry best prac- 
tices, and to ensure that every component part has at least the minimum protection 
necessary to protect the reliability of the bulk power system as a whole. The result- 
ing standards represent a balanced set of outcomes in a diverse industry. These 
standards are rigorous, but compliance can be achieved by all “owners, operators 
and users” of the bulk power system. 

The proposed cyber security standards fulfill relevant portions of Recommenda- 
tions 32 and 32. A of the United States ! Canada Power System Outage Task Force 
report. These recommendations state, in part, that NERC should finalize and imple- 
ment the CIP-002-1 to CIP-009-1 standards, that NERC standards related to 
physical and cyber security should be made mandatory and enforceable, and that 
NERC should take actions to better communicate and enforce these standards. To 
help the industry understand and implement these standards, NERC held a series 
of ten industry workshops on the standards for bulk power system owners, opera- 
tors, and users that were conducted across North America. 

NERC also believes that these cyber security standards are a landmark for the 
implementation of mandatory cyber security in a non-business environment. These 
standards represent, for the first time, a set of mandatory security requirements for 
an entire industry. Other statutory and regulatory attempts have not been as pro- 
scriptive or as specific as these standards. 

These proposed standards are different from traditional information technology 
security standards. The CIP Reliability Standards apply information technology se- 
curity principles, which are commonly accepted in the business environment, to bulk 
power system control systems which were not designed with these security prin- 
ciples in mind. As such, the security principles must be carefully applied to ensure 
that there are no unintended consequences that undermine bulk power system reli- 
ability. These standards must prescribe what is required of real-time critical bulk 
power system operating systems. This differs from what can be prescribed for se- 
cured business systems. 

Promulgating standards for the bulk power system that draw too closely on the 
standards appropriate for secured business systems could result in a less reliable 
bulk power system, either because of decreased operations or decreased security. 
Two examples of this are (1) the use of password-protected screen savers on com- 
puters, and (2) automatic lockout of accounts following invalid passwords. Both of 
these are accepted business system security practices, but they lead directly to re- 
duced ability to reliably operate a real-time control system, and thus to a less reli- 
able bulk power system. In the case of a password-protected screensaver, the busi- 
ness justification is to reduce the release of confidential information or misuse of 
the computing resources; in a control system, it results in a lack of visibility of key 
real-time operating parameters that must be constantly observed to ensure reliable 
operations. In the case of password lockout, business systems use the lockout as a 
preventative measure to ensure that information and computer resources cannot be 
used following an concerted attack; in a control system the need to rapidly be able 
to get access to a system under all circumstances may result in mis-typed pass- 
words, which could lead to the complete inability to monitor or take corrective ac- 
tions to maintain reliable operations. In both cases, control systems implement al- 
ternate mitigating controls, including increased physical security and additional per- 
sonnel that the business systems cannot assume, to ensure that the systems are not 
misused. 
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The proposed cyber security standards will increase the reliability of the bulk 
power system by improving the resiliency of the control system cyber assets and im- 
proving their ability to withstand cyber-based attacks. Cyber security requirements 
will be applied to functions and companies where they have never before been ap- 
plied. NERC has applied cyber security standards to control centers through prior 
standards; however, the Standards currently before the Commission are the first to 
require cyber security in either a substation or generating plant environment. 

3. Interaction Between NERC and NIST Processes. 

The FERC NOPR addresses the relationship between the CIP Reliability Stand- 
ards and other existing standards for cyber security, both governmental standards 
and industrial standards. See NOPR, PP 87 — 88. Specifically, the Commission re- 
ceived a recommendation that Federal Information Processing Standards (“FIPS”) 
199, FIPS 200, and NIST Special Publication 800-53 Revision 1, Recommended Se- 
curity Controls for Federal Information Systems (“SP 800-53”) be used as the basis 
for cyber security requirements applicable to the electric power sector. The National 
Institute of Standards and Technology recommended that FERC consider a transi- 
tion to cyber security standards identical to, consistent with or based on SP 800- 
53 and related guidelines. 

The Commission declined to propose such a transition in the NOPR: 

The Commission declines to propose at this time that NERC incorporate any 
provisions of the NIST standards into the CIP Reliability Standards. However, 
the Commission expects NERC to monitor the development and implementation 
of the NIST standards to determine if they contain provisions that will better 
protect the Bulk-Power System. Several federal entities, such as the Tennessee 
Valley Authority and Western Area Power Administration, are subject to both 
the NIST standards and the Reliability Standards, and therefore are likely to 
have unique insights into the NIST standards. The Commission expects the 
ERO to seek and consider comments from those federal entities on the effective- 
ness of the NIST standards and on any implementation issues. Any provisions 
that will better protect the Bulk-Power System should be addressed in the 
ERO’s Reliability Standards development process. The Commission may revisit 
this issue in future proceedings as part of an evaluation of existing Reliability 
Standards or the need for new Reliability Standards, or as part of assessing 
NERC’s performance of its responsibilities as the ERO. 

NOPR, P 88 (footnote omitted). 

NERC agrees fully with the Commission’s determination. During the development 
of the CIP Reliability Standards discussed above, participants in the standards de- 
velopment process acknowledged that NIST’s existing FISMA guidance is not appro- 
priate for control systems. NIST has continued its work in this area, and has devel- 
oped guidance, which is still in the draft stage, on applicable actions to be per- 
formed in support of FISMA compliance to control systems. To date, NIST has re- 
leased two public draft versions of its revised guidance (in July 2005 and June 
2007). As of this date, however, the guidance has not been approved by NIST, nor 
issued in final form. Given the importance of the cybersecurity standards and the 
critical need to have standards in place and enforceable as soon as possible, it would 
not have been appropriate to delay the NERC standards development process in 
order to await the final outcome of the NIST process. 

Additionally, as described above, NERC’s procedures for the development of reli- 
ability standards are governed by the Federal Power Act. In certifying NERC as the 
ERO, FERC approved NERC’s ANSI-approved standards development process as 
consistent with the statutory requirements. This ANSI-approved process is essen- 
tially the same as that used by other standards organizations, including the IEEE, 
ISA, and ANSI itself. In contrast, the NIST process is not an ANSI-accredited proc- 
ess, and does not include a stakeholder ballot. As all of the Reliability Standards 
developed by NERC and submitted to FERC for approval must be developed 
through the FERC-approved ANSI process, NERC cannot simply adopt a NIST 
guideline as a Reliability Standard. While the NIST proposals can be (and have 
been) considered in the ERO standards development process, the resulting standard 
cannot be the NIST document or guideline. 
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C. While Interdependency Is A Significant Issue, The CIP Reliability 
Standards Can Only Address Critical Assets In The Electricity Sector. 

Another issue addressed in the NOPR, and in the FERC staff assessment pro- 
posed CIP-002-1 regarding the identification of critical assets, concerned the “inter- 
dependency” with other infrastructures. The staff assessment asked for comments 
on whether CIP-002-1 should address this matter, and whether there should be co- 
ordination and collaboration in the future with other industries and government 
agencies. In the NOPR, FERC concluded that: 

While broader interdependency issues cannot be ignored, the Commission in- 
tends to revisit this matter through future proceedings and with other agencies. 
This work will help to inform the electric sector and this Commission about the 
need for future Reliability Standards, especially when the interdependent infra- 
structures affect generating capabilities, such as through fuel transportation. 

NOPR, P 118. 

NERC concurs that the interdependency issue raised in the NOPR is an impor- 
tant one; however, the issue is too broad to be restricted to a single agency or indus- 
try sector. We believe that it is best raised through direct cooperation with other 
critical infrastructure sectors through existing cross-sector initiatives such as the 
Partnership for Critical Infrastructure Security (“PCIS”) and the Information Shar- 
ing and Analysis Center Council (“ISAC Council”), with the lead federal government 
agency being the U.S. Department of Homeland Security. Once specific issues di- 
rectly relating to the reliability of the hulk-power system are identified through 
these organizations, standards creation activities can be initiated through the ERO 
to address them. 


III. CONCLUSION 

The approval by FERC of the proposed CIP Reliability Standards will represent 
an important milestone in the transition to the system of mandatory and enforce- 
able reliability standards envisioned by Congress in the Energy Policy Act of 2005, 
that will ensure grid reliability by improving the resiliency of the control system 
cyber assets and improving their ability to withstand cyber-based attacks. 

Going forward, standards development requires progressive and continuous im- 
provement. NERC’s rules, and a condition of accreditation by the American National 
Standards Institute, require that each standard be reviewed at least every five 
years. NERC anticipates completing the review and upgrade of all standards over 
a three-year period, beginning with the highest priority standards in 2007. NERC’s 
standards development procedure provides a systematic approach to improving to 
the standards and documenting the basis for those improvements, and should serve 
as the mechanism for achieving those improvements. 

These CIP Reliability Standards already represent a significant improvement of 
cyber security for the electricity industry. Since our process requires that standards 
be continuously improved, the standards will be reviewed, modified and improved 
by necessity of the process. This will result in an ever-increasing improvement to 
the level of cyber security throughout the electricity industry. However, the process 
must start somewhere with a set of standards. Based on NERC’s development proc- 
ess, and the demonstrated broad base of support, the standards currently before the 
Commission represent the most appropriate starting point for today’s environment. 
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SUMMARY: 

Mandatory and enforceable Reliability Standards under Section 2 1 5 of the Federal Power 
Act are to provide for the reliable operation of the bulk power system only. Section 2 1 5 does not 
extend any authority for the regulation of reliability or cybersecurity beyond that which is 
necessary for reliable operations of the transmission grid. While critical infrastructures in 
various sectors of the U.S. economy are dependent upon the bulk power system, NERC’s 
authority to propose and enforce reliability standards is confined to a single sector of the 
economy. 

NERC will evaluate how all of Reliability Standards work in practice, monitor industry 
and technology developments, and determine on an ongoing basis whether these Standards 
should be improved, or new standards should be promulgated. The key to improving the 
reliability of the North American bulk power system is to put in place good standards, as soon as 
possible. The CIP Reliability Standards are a sound starting point for the electric industry. They 
can and should be made effective promptly so that they can be implemented now. 

In the course of developing the CIP Reliability Standards, NERC evaluated NIST’s 
ongoing work to apply its Special Publication (SP) 800-53, Recommended Security Controls for 
Federal Information Systems, to control systems, and other work underway at NIST to develop 
guidance on securing control systems. The guidelines available from NIST for information 
security when the CIP Reliability Standards were being developed were not appropriate for 
control systems. Moreover, Section 215 of the FPA sets forth requirements for the process and 
procedures through which NERC, as the ERO, may establish Reliability Standards. The 
conversion of a NIST guideline developed for information systems directly into a mandatory 
Reliability Standard for electric grid control systems would not comply with the statutory 
procedural requirements under which NERC operates. Because of the pressing need for 
mandatory cybersecurity standards to secure grid reliability, issuance of the CIP Reliability 
Standards could not be delayed in order to await completion of the NIST process. NERC will 
continue to monitor the progress of the NIST process, and as CIP Reliability Standards continue 
to evolve, there will be future opportunities to continue to reflect NIST documents and guidance 
as appropriate. 


Mr. Langevin. The Chair now recognizes Mr. Weiss to summa- 
rize your statement in 5 minutes. 

STATEMENT OF JOSEPH M. WEISS, MANAGING DIRECTOR, 
APPLIED CONTROL SOLUTIONS 

Mr. Weiss. Good afternoon, Mr. Chairman, Ranking Member 
McCaul and members of the committee. I would like to thank the 
committee for your commitment to a comprehensive examination of 
the cybersecurity of control systems utilized in our Nation’s electric 
grid. I also want to thank you for the opportunity to be here today 
to discuss this very important topic. 

As you mentioned, I am a nuclear engineer that has been in- 
volved in control systems for over 35 years and control systems cy- 
bersecurity specifically for over 7 years. I have been part of the 
NERC cybersecurity standards process since its inception. I have 
been working with government organizations, end users, equip- 
ment suppliers, domestic and international standards organizations 
and others. I am also a utility stockholder and ratepayer, both of 
which can be affected by what we are discussing today. 
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The issue at hand is the protection of the interdependent critical 
infrastructures of electric power, water, oil, gas, et cetera. Control 
systems form the backbone of these infrastructures, and the threat 
of a cyber attack is the central issue. There are only a handful of 
control systems suppliers, and they supply industrial applications 
worldwide. 

The control systems architectures and default passwords are 
common to each other. Consequently, if one industry is vulnerable, 
they all could be. I am aware of more than 90, 9-0, cases where 
control systems have been impacted by either intentional or unin- 
tentional incidents. These incidents have occurred in electric power 
transmission and distribution systems, power generation including 
fossil, hydro, gas turbine and nuclear, water, oil, gas, chemicals, 
paper and agribusiness. The damage from the cyber incidents has 
ranged from trivial to significant environmental releases to signifi- 
cant equipment damage to even deaths. 

When the NERC cybersecurity standards process originated, it 
was meant to address utility control systems with the only exclu- 
sion being mainstream business applications. Over time, the scope 
significantly narrowed. The approach has resulted in the following 
shortcomings: the ambiguousness and exclusions of the NERC CIP 
process, and this includes telecom, electric distribution, market sys- 
tems, serial communications, nuclear plants; and even the fact of 
not requiring actual appropriate control systems policies would not 
meet a cybersecurity assessment of the human resources computer 
system, yet we are using this as a basis for our most important 
critical cyber assets. The banking industry is concerned about the 
security of a single open access point on a laptop. On the other 
hand, the electric industry is determined by using the NERC sub- 
standards that an entire section of the United States has no critical 
generation assets. How can this be considering NERC’s input on 
the aurora vulnerability? 

In my written testimony, I have provided four actual control sys- 
tem cyber events the NERC substandards would not have ad- 
dressed, including one that was identified in an electric sector 
ISAC advisory in 2003. This is not aurora. As can be seen, this lack 
of any real security being addressed by NERC is alarming at best 
and negligent at worst. 

There is a better approach that, in fact, is already mandatory for 
all Federal agencies, which includes TVA, BPA, and the Bureau of 
Reclamation among others. This approaches the NIST framework, 
which has been expanded to specifically address control systems. 
We have conducted a line-by-line review between the NERC CIPs 
and NIST 800-53; the results were that NIST 800-53 is more com- 
prehensive. 

Why should Federal power agencies be held to a higher stand- 
ard? But, more so, why should they be placed at risk where non- 
Federal agencies connect with them using a less comprehensive ap- 
proach? This doesn’t make any sense. 

My recommendation is. Congress should empower FERC with 
the authority and responsibility for development of control systems 
cybersecurity requirements and compliance criteria similar to the 
role of the Nuclear Regulatory Commission. In so doing. Congress 
should also provide FERC with the authority to separate FRO 
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functions so that NERC is responsible for traditional electric sys- 
tem reliability standards, and have a separate organization, very 
possibly ISA, be responsible for the cybersecurity aspects of critical 
infrastructure protection. 

Finally, Congress should take action so that the FRO function is 
funded by the government, not by industry as is now the case, to 
better ensure that conflicts of interest do not interfere with doing 
what is right and necessary and not just what is convenient. 

Thank you for allowing me to provide my thoughts and concerns, 
and I would be happy to answer any questions. 

[The statement of Mr. Weiss follows:] 

Prepared Statement of Joseph M. Weiss 

Good afternoon Mr. Chairman and Members of the Committee. I would like to 
thank the Committee for your invitation to discuss the need for appropriate cyber 
security of the control systems utilized in our nation’s critical infrastructure, in par- 
ticular, the electric infrastructure. 

I am a nuclear engineer who has spent more than thirty years working in the 
commercial power industry designing, developing, implementing, and analyzing in- 
dustrial instrumentation and control systems. I have performed cyber security vul- 
nerability assessments of power plants, substations, electric utility control centers, 
and water systems. I am a member of many groups working to improve the reli- 
ability and availability of critical infrastructures and their control systems, includ- 
ing the North American Electric Reliability Council’s (NERC) Control Systems Secu- 
rity Working Group (CSSWG), the Instrumentation Systems and Automation Soci- 
ety (ISA) S99 Manufacturing and Control Systems Security Committee, the National 
Institute of Standards and Technology (NIST) Process Control Security Require- 
ments Forum (PCSRF), Institute for Electrical and Electronic Engineers (IEEE) 
Power Engineering Society Substations Committee, International ElectroTechnical 
Commission (lEC) Technical Committee 67 Working Group 15, and Council on 
Large Electric Systems (CIGRE) Joint Working Group D2.22. As a control system 
cyber security expert, citizen, stockholder, and ratepayer, I am very concerned about 
the electric industry’s approach to securing the electric grid. I would like to state 
for the record that the views expressed in this testimony are mine. I am not rep- 
resenting any of the groups in which I am involved. 

Until 2000, my focus strictly was to design and develop control systems that were 
efficient, flexible, cost-effective, and remotely accessible, without concern for cyber 
security. At about that time, the idea of interconnecting control systems with other 
networked computing systems started to gain a foothold as a means to help lower 
costs and improve efficiency, by making available operations-related data for man- 
agement “decision support.” Systems of all kinds that were not interconnected with 
others and thereby could not share information (“islands of automation”) became 
viewed as an outmoded philosophy. But at the same time, there was no cor- 
responding appreciation for the cyber security risks created. To a considerable ex- 
tent, a lack of appreciation for the potential security pitfalls of highly interconnected 
systems is still prevalent today, as can be witnessed in a recent article in the Sep- 
tember 2007 issue of Power Magazine. As such, the need for organizations to obtain 
information from operational control system networks to enable ancillary business 
objectives has often unknowingly led to increased cyber vulnerability of control sys- 
tem assets themselves. 

Generally cyber security has been the purview of the Information Technology (IT) 
department, while electric control system departments have focused on grid and 
plant operations efficiency and reliability — not cyber security. This has led to the 
current situation where some parts of the organization are now sensitized to secu- 
rity while others are not as yet aware of the need. Industry has made progress in 
identifying control system cyber security as an issue while not appreciating the full 
gravity of the matter. In other ways, particularly concerning the proposed NERC 
Critical Infrastructure Protection (CIP) cyber security standards,^ I believe we have 
fallen short of the mark. The timing of this hearing is fortuitous as more than 70 


^Makansi, Jason, “Integrated Software Platform Eludes Many Owner/Operators”, Power Mag- 
azine, September 2007. 

2 NERC Cyber Security Standards, http://www.nerc.com/filez/StandardsStandards/Cyber-Secu- 
rity-Permanent.html 
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organizations have recently submitted commentary responses to the Federal Energy 
Regulatory Commission’s (FERC) Notice of Proposed Rulemaking (NOPR) RM06- 
22.3 These submittals provide a detailed view into the electric power industry’s in- 
tended approach to securing the cyber assets used to operate the grid. 

How Mainstream IT and Control System Cyber Security are Different 

Control systems include distributed control systems (DCS), programmable logic 
controllers (PLC), supervisory control and data acquisition (SCADA) systems, and 
related networked-computing systems. Control systems are designed and operated 
differently than mainstream IT business systems. Traditionally, the emphasis in se- 
curing business IT systems is to employ the best practices associated with the well- 
established “Confidentiality, Integrity, Availability” (CIA) triad model — in that order 
of importance. Typically extra emphasis is placed on rigorous human end user ac- 
cess control and data encryption to satisfy the important function of confidentiality. 
In control systems, however, confidentiality has less urgency than system avail- 
ability and data integrity, because in actual control system operation, the typical 
“users” are other computer-based devises (e.g. PLCs and field devices), not humans. 
This distinction, and the fact that most extant control systems are outfitted with 
older microprocessors with little compute power, lies at the heart of the issue of se- 
curing control systems in a manner appropriate to current need. 

Unfortunately, today very few people possess thorough understanding of control 
system cyber security. This understanding requires prior detailed knowledge of the 
control system application, how it is designed and operated, as well as how it com- 
municates and is interconnected with other systems and ancillary computing assets, 
before appreciation of cyber vulnerabilities of the system as a whole can begin. Fig- 
ure 1 generally characterizes the relationship of the different types of specialty tech- 
nical skills needed for control system cyber security expertise, and also reflects the 
relative quantities of each at work in industry today. Most people now becoming in- 
volved with control system cyber security typically come from a mainstream IT 
background and not that of control systems. This has, in some cases, inadvertently 
resulted in making control systems less reliable without providing increased secu- 
rity, such as the example of the uninformed use of mainstream IT port scanners on 
older generation PLC networks. 



FiGure 1 — Relationship and Relative Availability of Control System Cyber Security 
Expertise 


3 Federal Energy Regulatory Commission Docket RM06— 22, http://www.ferc.gov/docs-filing/ 
elibrary.asp 
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It is often mistakenly assumed that a cyber security incident is always a premedi- 
tated targeted attack. However, NIST defines a Cyber Incident"^ as: “An occurrence 
that actually or potentially jeopardizes the confidentiality, integrity, or availability 
(CIA) of an information system or the information the system processes, stores, or 
transmits or that constitutes a violation or imminent threat of violation of security 
policies, security procedures, or acceptable use policies. Incidents may be intentional 
or unintentional.” Unintentional compromises of CIA are significantly more preva- 
lent and can have severe consequences. In fact, statistics collected over roughly the 
past 20 years in mainstream IT have consistently shown that about two-thirds of 
all cyber security incidents originate from within an organization, and that the 
cause of most of those are unintentional human error. This phenomenon must also 
be addressed by cyber security standards if they are to be effective. 

Use of mainstream operating system environments such as Windows and UNIX 
for running control system applications leave them just as vulnerable as these oper- 
ating systems are when used anywhere else, and application of mainstream IT secu- 
rity technical solutions and/or methods can be applied to help secure our more mod- 
ern control system host computers and operator consoles (i.e., PCs). At the same 
time, however, application of mainstream IT security technologies and methods can 
also adversely affect the operation of control systems, such as causing components 
on networks of older generation PLCs to freeze-up upon use of port scanning tools, 
as noted. Furthermore, DOE’s Idaho National Laboratory (INL) has conducted dem- 
onstrations of how a hacker can manipulate widely used “middleware” software run- 
ning on very current mainstream computer systems without a great deal of dif- 
ficulty, e.g., using vulnerabilities in OPC code (“OLE for Process Control”). In this 
sobering demonstration the system appears to be functioning properly even though 
it is not; while displaying incorrect information to, or withholding correct informa- 
tion from, system operator consoles. 

Inadequacy of NERC CIP Standards as Effective Regulation 

Prior to NERC becoming the Electric Reliability Organization (ERO), NERC was 
an industry sponsored, industry-led, and industry-funded organization, and they 
still are today. Contrary to popular belief, NERC as ERO is still funded by the in- 
dustry, thereby creating potential for conflict of interest. It was a secret to no one 
involved that the objective in drafting the Critical Infrastructure Protection (CIP) 
Standards was for the industry, through NERC, to put something in place to its lik- 
ing before the Federal Government did so in its behalf. Thus, the CIP Standards 
were developed by a trade association. 

Because NERC employs an American National Standards Institute (ANSI)-ap- 
proved standards development process, it is required to follow certain rules includ- 
ing balloting of its standards to obtain approval from constituent industry member 
organizations. Consequently, as the CIP Standards went through the balloting proc- 
ess, they became less inclusive, more ambiguous, and created more exemptions to 
applicability. It should also be noted that prior to industry acceptance of the final 
version, the CIP Standards went though three rounds of drafting and subsequent 
industry comment of approximately 1000 pages each (with some redundancy), and 
the NERC Drafting Team could accept or reject recommendations unilaterally as 
they deemed appropriate, with but modest explanation as to rationale. NERC and 
many utility representatives recognized the limitations of this effort, but felt any- 
thing more rigorous in terms of requirements would not be acceptable to enough 
utility organizations to pass ballot. 

As the NERC CIP Standards moved to their final revision, the focus was shifted 
entirely to bulk power grid reliability in and of itself, rather than on societal welfare 
and safety from a homeland security or economic perspective. The reliable operation 
of a small substation that supports a major oil or gas pipeline in a remote locale 
is not salient to grid stability, but failure of same could very well have profound 
adverse consequences for the health of the US economy. Likewise, under the CIP 
Standards, the importance of continuity of electric power to municipal water works, 
manufacturing plants, refineries, hospitals, and military installations, etc., is not a 
factor requiring consideration in determining the importance (or “Criticality”) of the 
electric system assets which serve them. 

Perhaps the biggest issue with the CIP Standards as a set is CIP-002, which es- 
tablishes the scope of applicability for all of the other CIP Standards: identification 
of “Critical Assets.” These are individual pieces of electric system equipment such 
as electric generating units, substation transformers and digital protective relays. 


^National Institute of Standards and Technology Federal Information Processing Standards 
Publication 200, Minimum Security Requirements for Federal Information and Information Sys- 
tems, March 2006. http://csrc.nist.gOv/publications/fips/fips200/FIPS-200-final-march.pdf 
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and though not explicitly stated, presumably though not explicitly the control sys- 
tem hosts, related servers, and operator consoles as well. Per CIP-002, deciding ex- 
actly which electric system assets are critical to reliable operation of the bulk elec- 
tric system is left up to each individual organization to determine for itself, using 
a “risk based assessment methodology” of its own choosing or design. It is only the 
network-computing control systems components used to operate these specific Crit- 
ical Assets — thereby deemed “Critical Cyber Assets” — that must be protected under 
the CIP Standards. For all other non-Critical electric and control system assets, the 
CIP Standards simply do not apply and may be ignored. As CIP-002 is currently 
written, allowing an organization to choose its own methodology permits the docu- 
mented results from the flip of the coin as a perfectly valid and compliant approach 
to self-determination of Critical Assets. FERC has expressed consternation with this 
“flexibility” in its Notice of Public Rulemaking (NOPR) comments, and in its Final 
Rule will in all likelihood remand this Standard back to the NERC Standards proc- 
ess for re-conception. Unfortunately, the NERC standards development process 
takes a great deal of time, and our enemies are not constrained to only take advan- 
tage of our vulnerabilities after our schedule for securing them has run its course. 
The industry has been in the process of developing cyber security standards for over 
four years, and yet the matter remains unconcluded. 

As noted, the CIP Standards apply only to those electric system components self- 
identified by asset owners themselves to be critical to their ability to maintain reli- 
ability for that part of the bulk electric grid falling under the aegis of each. The 
process does not embrace intra-region, inter-region, or a national viewpoint of the 
grid as a system, but rather only parochial considerations, each in isolation to the 
others. Additionally, there is no requirement to take into consideration the potential 
for multiple contingency threat scenarios that can involve more than one sphere of 
interest, such as interdependency of critical natural gas pumping stations and the 
greater electric power system. What’s more, because utilities are interconnected, 
they often share equipment where the utilities conjoin (e.g., “dual ported Remote 
Terminal Units-RTUs”), to say nothing about network-to-network data router inter- 
connections. Accordingly, because utilities will apply the CIP Standards in a non- 
uniform fashion, one utility’s less rigorous application of the CIP requirements will 
make it a “weak link” relative to its neighbor utility, to the detriment of the cyber 
security of both organizations and any others to which there are further data net- 
work interconnections. Also note that all major electric sector control systems in 
North America communicate over the common “NERCnet”, further exacerbating the 
situation. Worse yet, these days most control networks are also interconnected with 
their corporate IT networks, which themselves are connected to the Internet. A 
chain is only as strong as its weakest link. 

Technically, the CIP Standards were conceived primarily from the frame of ref- 
erence of protecting control center host systems and operator consoles, rather than 
field and plant floor controls equipment (“Other Facilities”) at work in substations, 
switchyards, and power plants. The data systems in use within control centers gen- 
erally utilize current computing and networking technology, requiring protective 
measures akin to those used in mainstream business and Internet computing. Con- 
versely, most field PCS (e.g., substation equipment) and power plant DCS controller 
equipment still in use today employ technology that generally is obsolete and has 
little in the way of built-in cyber defenses, with little potential for upgrade or aug- 
mentation. But since the CIP Standards are intended to apply for both data center 
and intelligent field assets, they had to be written in a way that would be relevant 
for advanced current and future computing technologies, while at the same time ac- 
commodating what is essentially ‘ancient’ field and plant controls equipment. The 
result is milquetoast one-size fits all standards that are not rigorous enough for cur- 
rent and future cyber security challenges on the one hand, and by and large are 
overkill for the older field and plant cyber assets still in use. What’s more, major 
gaps in CIP Standards’ effectiveness are created by a number of explicit exclusions 
from applicability — in essence, loopholes. 

Ironically, some of the most important contributors to grid reliability, nuclear 
power plants, are excluded from the scope of consideration as to criticality. While 
the Nuclear Regulatory Commission (NRC) has robust physical security standards 
for nuclear plants, the interconnection of nuclear power plant cyber control assets 
with those used to manage the bulk electric grid currently is not addressed in either 
NERC or NRC Standards. Also, while physical security requirements are specified 
by NRC for nuclear power plants, a little appreciated subtlety is that the CIP 
Standards specify physical security requirements for Critical Cyber Assets only. 
There is no existing NERC standard governing physical security of the Critical As- 
sets themselves, or any other grid assets for that matter. 
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Since electric distribution systems have been excluded from CIP Standards’ scope, 
so too are the controls used to operate them. This is true even though distribution 
assets are in operation within many transmission substations. Regardless of this, 
while many distribution systems employ no control system at all, the ones that do 
are electronically interconnected with transmission control systems, thereby cre- 
ating a direct pathway into the networked-controls infrastructure of the greater 
bulk electric grid. Independent System Operator (ISO) and Regional Transmission 
Operator (RTO) energy management systems (EMS) are intrinsically data networks, 
interconnected one with another via NERCnet. Also via NERCnet, each is also inter- 
connected with “downstream” control systems operated by more localized distribu- 
tion operators, including cooperatives and municipal utilities. With control systems 
of all ownership becoming increasingly interconnected to one another, while also 
being interconnected with general-purpose corporate data networks and the Inter- 
net, control system exposure to cyber threats is greatly increased. Accordingly, the 
frame of reference concerning standards for control system cyber security supporting 
grid reliability purposes must be expanded to account for at least those operational 
control systems that need to be directly interconnected. This means expanding the 
scope of the standards to include smaller control area systems which routinely ex- 
change data — and potentially viruses, worms, or other possibly compromised data — 
with ISO/RTO systems directly. Smaller control area systems can be attractive 
points of entry and through-navigation paths employed in common hacker “island 
hopping” technique. By analogy, at least some of the 9/11 terrorists entered the air 
transit system through feeder airports on that fateful day. 

Another exception to applicability of the CIP Standards are control systems’ data 
communication infrastructure per se. Currently, the electric industry has a huge in- 
vestment in serial communications that will not be replaced and/or upgraded to 
routable communications such as Internet Protocol (IP) for many years. These serial 
communication systems have been demonstrated by the National Laboratories to be 
cyber vulnerable, e.g., through induction coil passive wiretapping or war dialing, 
and there have been instances where serial communications have been com- 
promised. However, legacy protocol serial communications are excluded from the 
CIP Standards’ scope simply because they employ non-routable protocols. 

A further dubious exclusion from the scope of CIP Standards’ applicability in- 
volves the Open Access Same-Time Information System (OASIS). These distributed 
market trading systems are excluded from CIP scope, even though they are rou- 
tinely connected to energy management systems (EMS) and/or SCADA reliability 
systems on one side, and the Internet on the other. There is no existing regulation 
currently governing the cyber security of market systems, which many large sys- 
tems operators will tell, at least privately, are paramount to their ability to dispatch 
their reliability responsibilities. In fact, aside from OASIS systems becoming en- 
tirely unavailable, an operations manager for a large transmission organization re- 
cently offered in confidence that “the thing that scares [him] most in terms of main- 
taining reliability is spoofed [OASIS] schedules and tags” through cyber means. 

Finally, while some electric industry organizations are using ambiguities within 
the CIP Standards to minimize the number of Critical Cyber Assets to which the 
Standards must be applied, without realizing it they may be greatly increasing their 
liability in other ways. At the ISA Expo2007 in Houston,® a panel session was held 
on October 2, 2007, covering NERC CIP implementation. The NERC representative 
in attendance explicitly stated that a utility would be CIP-compliant merely by es- 
tablishing cyber security policies of some kind, even if they are poorly conceived or 
effectively inadequate to need. During the CIP Standards drafting process a less 
vocal but substantial number of electric industry representatives complained about 
the absence of “adequacy metrics” pertaining to the Standards’ requirements in gen- 
eral across the board, which was not remedied prior to their balloted approval by 
the industry. This demonstrates how conception of the CIP Standards has missed 
the mark of thoughtfully effecting genuine cyber security, but rather has resulted 
in the framing of a compliance exercise in essence amounting to adherence to a 
checklist. This at once elevates the need for technically competent auditors who can 
review the checklists and ask the right questions, while at the same time there are 
very few auditors who have requisite experience in the context of control systems. 
What’s more, during a panel session at the ISA Expo2005 in Chicago, one utility 
industry representative presented the following slide: “In the Electric Sector, the 
Business Case for CIP & Reliability initiatives in today’s landscape must be based 
on the surety that your company will be financially impacted if it is found to be non- 


® Panel Session on NERC Compliance, ISAExpo2007, Houston, TX, October 2, 2007. 
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compliant.”® That is, if the amount of the fine would be less than the cost to become 
secure, the utility would pay the fine. 

Case Histories Which Reveal NERC CIP Standards’ Inadequacies 

Contacts throughout industry have shared with me the details and adverse affects 
of more than 90 confirmed control system cyber security incidents to date. This in- 
formation has been shared with me by individuals from the affected organizations, 
and from government sources such as the Nuclear Regulatory Commission (NRC), 
the DOE National Laboratories, the National Transportation Safety Board (NTSB), 
and the National Institute of Standards and Technology (NIST). Note use of the 
term “incident”, not “attack”, as most of these events have been unintentional. The 
incidents are international in scope (North America, Europe, and Asia) and span 
several industrial infrastructures including electric power, water, oil/gas, chemical, 
and manufacturing. With respect to the electric power industry, cyber incidents 
have occurred in transmission, distribution, and generation including fossil, hydro, 
and nuclear power plants. Impacts, whether intentional or unintentional, range 
from trivial to significant environmental discharges, serious equipment damage, and 
even death. Figure 2 shows the result of a Bellingham, WA, pipe rupture,'^ which 
an investigation concluded was not caused by an intentional act. Figure 3 is a pic- 
ture from the Idaho National Laboratory (INL) demonstration of the ability to inten- 
tionally destroy an electric generator by simulating a cyber attack.® 



Figure 2 Bellingham, WA Gasoline Figure 3 INL Cyber Demonstration 


Pipeline Rupture 

The deficiencies in the NERC CIP can be demonstrated by the exercise of apply- 
ing them to historical cyber events. In each historical case discussed below, adher- 
ence to CIP Standards’ requirements would have failed to address the underl3ring 
causes. I have chosen events that are all publicly documented by government (US 
and Australian) reports. I have also included references to the Final Report of the 
2003 Northeast Blackout.® The reason for including this reference example is be- 
cause there were several cyber issues associated with the Northeast Blackout in- 
cluding co-temporal release of the Blaster worm and the First Energy SCADA sys- 
tem alarm problem. These issues resulted in 13 (of the 46) recommendations con- 
tained in the Northeast Blackout Report being cyber-related. The Northeast Outage 
Einal Report was issued approximately two years before the NERC CIP Standards 
were approved. Not including the Blackout Report’s recommendations is inexcus- 
able. 

Case (1) June 20, 2003 “SQL Slammer Worm Lessons Learned. . 

The control network at issued employed a frame relay data network service that 
interfaces with both the utility’s host control system on one side of the network, and 
field components on the other. This network service, vended by a large telecommuni- 
cations carrier, supported many diverse business organizations simultaneously. As 
is common, this network service utilized a high speed Asynchronous Transfer Mode 
(ATM) core network backbone at the center of the frame relay network. With the 


® Thomas Flowers, “The Business Case for Being Auditahly Compliant”, ISAExpo2005, Chi- 
cago, IL, October 25, 2005. 

^“Pipeline Accident Report Pipeline Rupture and Subsequent Fire in Bellingham, Washington 
June 10, 1999”, National Transmission Safety Board Report NTSB/PAR— 02/02 PB2002— 916502. 

® http://news.yahoo.eom/s/ap/20070927/ap on go ca st pe/hacking the grid 13 

® Final Report of the August 14, 2003 Blackout in the United States and Canada:^auses and 
Recommendations, April 2004, https://reports.energy.gov/BlackoutFinal-Web.pdf 

i®SQL Slammer Worm Lessons Learned for Consideration by the Electric Sector, June 20, 
2003, nerc.com. 
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release and rapid spread of the Slammer worm across businesses of all kinds serv- 
iced by the frame network, the core ATM infrastructure became choked by the 
worm’s multiplying replication and propagation. This resulted in blockage of SCADA 
traffic between the utility controls host and remote controls equipment in field sub- 
stations. Note that NERCnet is a shared frame relay network. 

Issues: The telecom network was in essence shut down by Slammer worm traffic. 
The Final Report on the Northeast Blackout recommends the development of a ca- 
pability to detect wireless and remote wire line intrusion and surveillance, and this 
report was issued prior to the adoption of the NERC CIP Standards. NERC should 
have heeded this recommendation, but inexplicably, the CIP Standards exclude 
availability requirements for telecom networking, which is intrinsic to control sys- 
tem operations. As will be discussed later, the NIST SP800-63 standard does not 
allow a scope exclusion concerning telecommunications network availability — the 
CIP Standards do. 

Case (2) Tempe, Arizona Area Outage of June 29, 2007. 

The outage lasted 46 minutes and affected 98,700 customers, representing 399 
Megawatts (MW) of load. It was caused by the unexplained activation of the dis- 
tribution load shedding program in the energy management system (EMS) at the 
Salt River Project (SRP), the utility affected. A total of 141 distribution circuit 
breakers were opened by the EMS unexpectedly. 

Issues: Most of the automation used in electric transmission and distribution sys- 
tems is used to manage the distribution function. Distribution systems can be di- 
rectly connected to transmission systems, and distribution system failures can be 
precursors to cascading outages resulting from runaway load shedding. However, 
the NERC CIP excludes distribution automation from scope, because they are not 
deemed to be part of the bulk electric system per se (i.e., the grid). NIST SP800- 
53 does not allow exclusion from scope of distribution automation assets. 

Case (3) Australian Wireless Network Hack 

A disgruntled former consultant to an Australian firm that used radio-controlled 
SCADA sewage processing equipment packed his car with stolen radio equipment 
and attached it to a computer. He drove around the area on at least 46 occasions 
from February 28 to April 23, 2000, issuing radio commands to open discharge 
valves, resulting in sewage spills. This attack became the first widely known exam- 
ple of someone maliciously breaking into a control system. 

Issues: Aware of this event, the task force that issued The Final Report of the 
Northeast Blackout recommended the development of capabilities to detect wireless 
and remote wire line intrusion and surveillance. The Blackout Report and the Aus- 
tralian sewage attack report were issued prior to the issuance of the NERC CIPs. 
Inexplicably, the NERC CIP Standards exclude non-routable protocols and do not 
explicitly address wireless communications. NIST SP800-53 does not have these 
scope exclusions concerning non-routable protocols, and addresses wireless commu- 
nications explicitly. 

Case (4) Nuclear Power Plant Cyber Ineident 

On August 19, 2006, operators at Browns Ferry nuclear generating facility, had 
to manually scram (shut down) Unit 3 following a loss of both primary and sec- 
ondary reactor water recirculation pumps. Plant procedures specified that the man- 
ual scram was required following the loss of recirculation flow. The NRC issued an 
Information Notice (IN) to alert licensees about recent operating experience related 
to the effects of potential interactions and unanticipated failures of Ethernet con- 
nected non-safety equipment on the safety and performance systems in use at nu- 
clear power stations. 

Issues: Nuclear plants represent approximately 20% of US electric power genera- 
tion. Widespread shutdown of nuclear facilities would have significant adverse im- 
pact on the reliability of the bulk electric grid. The NRC is responsible for the safety 
of nuclear plants, that is, safe shutdown. NRC does not however “regulate” the con- 
tinued operation of nuclear plants in relation to grid reliability, as witnessed in the 
NRC Information Notice. The NERC CIP Standards exclude nuclear power facilities 
from scope, while NIST SP800-63 does not allow such exclusions for nuclear plants. 


“Computer Problem Causes Brief Outage to as Many as 100,000 SRP Customers in Ari- 
zona”, Energy Assurance Daily, Friday June 29, 2007, http: ! I www.oe.netLdoe.gov I docs ! eads ! 
ead062907.pdf 

Supreme Court of Queensland r v Boden, Vitek 2002, CA Number 324 of 2001 DC Number 
340 of 2001, http:j / www.courts.qld.gov.au / qjudgment / QCA%202002 1 QCA02-164.pdf. 

13 NRC Information Notice: 2007-15: Effects of Ethernet -Based, Non Safety Related Controls 
on the Safe and Continued Operation of Nuclear Power Stations, April 17, 2007. 
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Early Repercussions from Establishment of the CIP Standards 

As noted above, each organization in the electric industry with responsibility for 
maintaining the reliability of the bulk electric system is free to adopt a risk based 
assessment methodology of its own choosing or design to determine which cyber con- 
trols apparatus must be protected. Discussion across the industry has born witness 
to an interesting phenomenon which has yet to be formally documented anywhere. 
It so happens that many of the largest electric utilities have determined in their 
risk assessments that they have no — zero — critical generation assets. In fact, within 
one of the largest regions in the US, the southeast, virtually none of the large opera- 
tors have identified any of their generation assets — nuclear included — as being crit- 
ical to reliability of the bulk electric system. The reason for this is offered forth- 
rightly, that their systems have been designed to withstand “N-1 contingencies,” 
meaning that they can withstand the loss of any single unit without adverse impact 
on reliability. What is not being considered is the potential for simultaneous mul- 
tiple contingencies. With the greater controls infrastructure being as cyber-inter- 
connected as observed earlier, it is by no means beyond the realm of possibility of 
just such an occurrence taking place. Without digression into potential permuta- 
tions, while Slammer and Blaster worms were propagated via email, and email is 
generally not used in operational control systems, an analogous threat vector could 
be sculpted for widespread attack on the greater assemblage of control systems used 
to operate the grid. What if a Trojan Horse planted in numerous generation control 
systems should awaken at the appointed hour and simultaneously trip a whole col- 
lection of plants in a region offline at once? The effect would look very much like 
the Northeast Blackout. Very possible scenarios such as this are being discounted 
out of hand by people in positions of authority who really do not understand cyber 
security. 

Second, we are also witnessing an unfortunate and unexpected phenomenon con- 
cerning the CIP Standards that leaves us at cross purposes with other needed elec- 
tric system management improvements. Many of the more recent utility controls au- 
tomation upgrades have been motivated by the goal of improving electric system re- 
liability, but at the same time to also aid reduction in operation and maintenance 
costs. Many of these new systems enhancements are predicated upon the use of 
modern digital networking technologies (e.g., emplojdng routable protocols such as 
IP), and in so doing these assets explicitly fall within scope of NERC CIP Standards’ 
compliance. Consequently, because of concerns about potentially being “caught by 
the CIP Standards” in a state of noncompliance thereby resulting in potentially 
large fines, a number of utilities have started to disconnect, or have ceased imple- 
mentation of, these modern networked-systems improvements — motivated explicitly 
by the goal of CIP Standards compliance-requirements avoidance. This tactic results 
in leaving certain existing cyber vulnerabilities unaddressed through exploitation of 
loopholes in the CIP Standards, as now written. At the same time, new “time and 
distance compression” operating efficiencies that can be garnered through use of 
modern networked remote control and telemetry are thereby lost by this step back- 
ward. The potential for improved operational efficiency could at least temporarily 
contain if not indeed reduce gross operating costs, which in turn holds the line on 
electric rates experienced by society. So, it appears that the industry is at cross-pur- 
poses in its response to the need to both secure and modernize the existing control 
systems infrastructure. This ironic industry response to the CIP Standards serves 
neither purpose in any discernable positive way. 

An Alternative to the NERC CIP Standards 

The NIST “Security Risk Management Framework” (hereafter referred to as 
“Framework”) has been developed by the Department of Commerce, and its use is 
mandatory for all federal agencies under the Federal Information Security Manage- 
ment Act (FISMA).!"* It is devoid of conflict of interest and has been broadly and 
publicly vetted. There is nothing ‘onerous’ about the NIST Framework, as it applies 
specifically for systems that do not have national security significance, and recently 
it has been augmented to address the unique needs of industrial control systems. 
In a study performed by MITRE Corporation for NIST, a line-by-line comparison of 
controls and countermeasures within NIST SP800-53 and the NERC CIP Stand- 


i^The Federal Information Security Management Act of 2002 (“FISMA”, 44 U.S.C. §3541, et 
seq.) 

National Institute of Standards and Technology Special Publication 800-53, Revision 1, Rec- 
ommended Seeurity Controls for Federal Information Systems, December 2006. 
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ards was undertaken. The results indicated the NERC GIF Standards were less 
rigorous than even the low-baseline security controls established in the NIST 
Framework. In the final analysis, if U.S. Fish and Wildlife must comply with the 
low-baseline NIST Framework, from the perspective of societal wellbeing and eco- 
nomic stability, in good conscience is it prudent to require less from the operators 
of the electric grid. 

A recurrent theme in the FERC NOPR is the need for greater granularity and 
detailed specificity in the GIF Standards. Part of the problem is the manner in 
which the GIF Standards are written — broadly brushed and highly generalized; so 
it’s easy to understand FERG’s desire for more specificity. This desire is at least in 
part motivated by the need to conduct compliance audits. The high-level abstraction 
of the NERG GIF Standards requirements language can leave the auditor struggling 
with shades of grey in interpretation (especially those auditors that come from a 
mainstream IT background exclusively), to say nothing as to grey-area impact in ap- 
peals to findings of non-compliance. In contrast, NIST SP800-53 is far more granu- 
lar and provides clear requirements that have much less room for misunder- 
standing. Furthermore, the companion NIST SP800-53Ai'^ provides guidelines for 
determining the effectiveness of cyber security controls; that is, the extent to which 
the controls are implemented correctly, operating as intended, and producing the de- 
sired outcome with respect to meeting the security needs of the organization. Addi- 
tionally, NIST has also produced a detailed guidance document for industrial control 
system (IGS) security, NIST SP800-82,i® which provides instruction on securing 
IGSs while at the same time satisfying their unique performance, reliability, and 
safety requirements. 

One of the major problems in control system cyber security is the culture clash 
between an organizations’ mainstream IT department and that responsible for the 
operating critical infrastructure and related control systems. The NIST Framework, 
specifically NIST SP 800-53 extended for Industrial Gontrol Systems (IGS), is the 
only document of which I am aware of that addresses both IT and control systems 
security in the same document. Gonsequently, it is my belief that this is a key tool 
that can help bridge the organizational divide between mainstream IT and control 
system operations functions; which in and of itself can help to untangle many of the 
existing control system cyber security issues. 

Adoption of the NIST Framework for the electric sector will eliminate the require- 
ment for redundant effort faced by a number of quasi-federal organizations such as 
the Tennessee Valley Authority (TVA) and the Bonneville Power Authority (BPA), 
who are now required to prepare different sets of documentation and endure dual 
audits for both FISMA and NERG GIF Standards compliance. Is this duplication a 
good use of ratepayer dollars? 

The electric sector is arguably the most interdependent of all the critical infra- 
structures, and it’s also the first of the private industrial sectors (health and finan- 
cial excluded) to move toward establishment of cyber security standards. Without 
digression, it would appear wise for all of our industrial sectors to adopt a consistent 
set of methodologies for cyber security of distributed and process industrial control 
systems. The vulnerability demonstration shown by GNN (reference 5) provides a 
clear justification. The advisory notice about the demonstrated vulnerability was 
issued to the electric industry, including dams, and was also released to the chem- 
ical and water industries as they use similar systems and networks and thereby 
similar cyber vulnerabilities. Additionally, having consistent requirements across in- 
dustries can minimize the potential for having to modify control systems to meet 
individual sector security requirements. 

One way to move towards cross-sector convergence in cyber security ways and 
means is for all stakeholders to use the same terminology and to eliminate duplica- 
tive or overlapping sets of security standards’ requirements. NIST offers a set of 
high-quality publications addressing most of the relevant managerial, administra- 
tive, operational, procedural, and technical considerations. Each of these publica- 
tions, such as SP 800-53, have been put through a significant public vetting process 
by all sectors, including, to the extent possible, by authorities in the national secu- 


^6 mitre Technical Report (MTR070050): Addressing Industrial Control Systems in NIST 
Special Publication 800-53; http://csrc.nist.gov/groups/SMA/fisma/ics/docunients/papers/ICS-in- 
SP800-53_fmal_21Mar07.pdf 

National Institute of Standards and Technology Special Publication 800— 53A, Guide for As- 
sessing the Security Controls in Federal Information Systems (Third Public Draft), June 2007. 

National Institute of Standards and Technology Special Publication 800-82 (2nd draft), 
Guide to Industrial Control Systems (ICS) Security, http: ! I csrc.nist.gov ! publications ! drafts ! 
800-82 ! 2nd-Draft-SP800-82-clean.pdf 
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rity domain. NIST offers its documents to all organizations interested in using them 
as a basis for developing common Standards within the ICS community. 

Summary Opinion 

NERC is now FERC’s Electric Reliability Organization (ERO) and as such should 
no longer be acting as an industry-representative organization. However, much evi- 
dence reveals NERC still exhibiting vestiges of its role as an industry advocate, at 
least in so far as concerns its attempts to minimize the urgency of the matter of 
cyber security. Rather than be attentive to and supportive of the FERC NOPR and 
move to assure its implementation, NERC has chosen to issue rebuttal comments. 
What’s more, the dubious act of NERC submitting a rebuttal to FERC is exacer- 
bated by the poor technical quality of its comments. NERC has not had previous 
experience with control system cyber security, and I do not believe that NERC as 
constituted is capable of providing adequate oversight of cyber security of the grid. 

For the reasons stated above, the existing NERC CIP Standards are not adequate 
for cyber-securing the electric grid. There are other approaches that can provide a 
higher level of security without incurring significant incremental cost. My principal 
recommendation is that the NIST Framework’s requirements should be incorporated 
into standards for industry that are currently being developed by the ISA99 Stand- 
ards Development Committee, Security for Industrial Automation and Control Sys- 
tems.2° As is NERC, ISA is an accredited member organization of the American Na- 
tional Standards Institute, and the ISA99 committee brings together security ex- 
perts from across industry, government, and academia. DHS has already provided 
valuable support by allowing experts from NIST and the National Laboratories to 
contribute in this ISA99 initiative, and it is vital that this support continue. I rec- 
ommend further that the NIST Framework requirements form the basis of compli- 
ance audits to be conducted by a new and related entity, the ISA Security Compli- 
ance Institute. Any resulting fines or other findings should be addressed by NERC. 
A single set of Standards for industrial automation and control systems is more cost 
effective than a patchwork of standards conceived independently by each industrial 
sector. This would provide the leading practitioners on control systems cyber secu- 
rity to bring their expertise to bear and provide comparable levels of protection 
across the interdependent critical infrastructures. 

Recommendation to Congress 

Congress should empower FERC with the authority and responsibility for develop- 
ment of control system cyber security requirements and compliance criteria similar 
to role of NRC in these matters. In so doing. Congress should also provide FERC 
with the authority to separate ERO functions so that NERC is responsible for tradi- 
tional electric system reliability Standards, and have a separate organization be re- 
sponsible for the cyber security aspects of critical infrastructure protection. Finally, 
Congress should take action so that the ERO function is funded by the government, 
not by industry as is now the case, to better ensure that conflicts of interest do not 
interfere with doing what is right and necessary, and not just what is convenient. 

Mr. Langevin. Mr. Weiss, I want to thank you for your testi- 
mony. You had some very salient points in there, and I agree with 
your testimony. 

I want to again thank all the witnesses for their testimony here 
today. And I now recognize myself for the purpose of questions. 
Let’s get right to it. 

Mr. Whiteley, as you are aware, we are very concerned about the 
aurora mitigation efforts ongoing in the electric sector. In a briefing 
with staff on Friday, DHS described a survey that NERC sent out 
in August 2007 to determine how many owners and operators were 
implementing the mitigation efforts. 

Can you describe the survey and tell us its findings? 

Mr. Whiteley. The survey was the follow-up to the guidance 
that was issued earlier in the spring, and we have determined that 
approximately, at this point, 75 percent of the transmission grid 


i^NERC Comments on the FERC NOPR dated October 5, 2007, Comments on the North 
American Electric Reliability Corporation on the Notice of Proposed Rulemaking for Mandatory 
Reliability Standards for Critical Infrastructure Protection, nerc.com 
20ISA99, Security for Industrial Automation and Control Systems 
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has either taken appropriate actions or is in the process of imple- 
menting those actions. And we continue to follow up with the re- 
maining 25 percent of the grid that either has not reported or that 
hasn’t started to take action to find out what the status is. 

So in terms of ongoing work, we continue to follow up; to eventu- 
ally reach a 100 percent reporting is our goal. 

Mr. Langevin. Why don’t you have 100 percent compliance at 
this point? What is the remaining 25 percent? Why are they drag- 
ging their feet? 

Mr. Whiteley. Well, I don’t have — I don’t have information on 
whether they are dragging their feet or whether we just have not 
received the report. We are in the process of following up with 
them at the present time to determine just exactly that. 

Mr. Langevin. On that 75 percent you say is in compliance, this 
is not just anecdotal. You are talking about, these are hard an- 
swers to the issue of having implemented all the mitigation strate- 
gies? 

Mr. Whiteley. This is a follow-up with most of the large utilities 
in the country and many of the intermediate-size utilities as well. 
And it is hard evidence or hard data that we have asked, and they 
have explained what has been done. So we have direct information. 

Mr. Langevin. Well, I don’t have as high a degree of confidence, 
and I have to say I am a bit skeptical that the entire electric sector 
is well on its way to having mitigated the problem and imple- 
mented strategies. 

Mr. McClelland, would FERC determine an investigation to con- 
sider whether the level to which electric sector owners and opera- 
tors have implemented these mitigation efforts? 

Mr. McClelland. Yes. Yes. We agree that in order to determine 
whether or not there have been sufficient mitigation measures em- 
ployed, it would be very important — in fact, essential — to have in- 
formation that would validate what those mitigation measures 
were and who has conducted those mitigation measures. 

Mr. Langevin. Thank you. 

Mr. McClelland and Mr. Whiteley, under today’s regime that is, 
frankly, the option of the cyber standards, if a cyber exploit of the 
aurora vulnerability is imminent, how will the electric sector, ISAC 
or the Department of Homeland Security ensure the immediate im- 
plementation of mitigation efforts? 

And doesn’t the fact that this is an advisory document hamper 
the mitigation? 

Mr. Whiteley. NERC has issued it as an advisory because it 
falls outside of our present authority in terms of standards that 
have already been approved. Had they been approved standards, 
then we would have additional mechanisms to follow up with the 
industry. And so to the extent we could, we have issued the advi- 
sory, explained it, and we are following up. 

Mr. McClelland. The Commission issued an order on Sep- 
tember 20 to clarify, that required action alerts, as issued by NERC 
in this circumstance, are not required because they are not based 
on an approved reliability standard, the standard that has been 
through the open and inclusive process required by EPAct and then 
approved — subsequently approved by the Commission. However, 
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the Commission encourages — we applaud NERC and encourage 
these types of advisories to be put into place. 

We have also now directed that — following a required action 
alert, the Commission has directed that within 30 days of the com- 
pliance date on such an alert, the Commission will receive a report 
from the ERO that will detail who has complied, who has not com- 
plied with what the level of compliance is, so that the Commission 
can evaluate whether further action — and that would include ac- 
tion to call for a reliability standard — is warranted. 

Mr. Langevin. Thank you. 

Mr. Weiss, do you care to comment on any of the questions and, 
in particular, if, in fact, there was a need to move quickly as a re- 
sult of actionable intelligence, some knowledge that there is a vul- 
nerability that existed. A, does the current structure lend itself to 
closing loopholes quickly? And what is the best strategy or the best 
entity to make sure that if we have a situation that arises, that we 
can move quickly to close gaps, close vulnerabilities? 

Mr. Weiss. I would like to address one other point, and that is, 
aurora is obviously a very critical vulnerability. It is the not only 
one; there are several others out there, probably of equal signifi- 
cance. And one of the things that I am very concerned about is that 
people focus so much on aurora that they don’t look at other things. 

I had a phone call from a friend from the oil/gas industry when 
they got that ISAC advisory. Their first question to me was, what 
about the other vulnerabilities? So the first thing I really want to 
get across is, we are not trying to address one and only one issue. 
What we are trying to address is the cyber vulnerability of the 
grid, and for that matter, the interconnections to the grid. 

The second point is that what I have found personally over time 
is that there is a tendency for private industry to be very reticent 
to provide information to the government. Several years ago we 
prepared a scoping study. We did this under a DOE contract. It 
was Carnegie Mellon and my previous employer. It was a scoping 
study for setting up a cert for control systems, and one of the most 
important aspects on that was that we felt that that initial entity, 
where the information goes in, should not be a government entity. 
It should be somewhere that it could be sanitized and then sent off 
further to actually have the work done. 

But the other point I want to get across, because I think this gets 
missed, is what I said to begin with. All of these industries use ex- 
actly the same equipment; that same, identical programmable logic 
controller that is used in a power plant or a substation is used in 
a steel mill, in a chemical plant, in a water plant, et cetera. So if 
they have problems or cyber issues, we need to know that. 

One of the things I see that is missing, you could call it an ISAC, 
call it what you will, but there should be something that is focused 
on the control systems because that is what we are looking at. That 
is what cuts across. 

Mr. Langevin. Thank you, Mr. Weiss. 

My time has expired. The Chair now recognizes the Ranking 
Member for 5|iminutes. 

Mr. McCaul. I thank you, Mr. Chairman. 

You know, since 9/11 we have been very focused on physical 
threats. But in my view, not enough attention has been paid to vir- 
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tual threats and cyber threats, and yet we have known about these 
threats out there. 

I think aurora kind of highlighted it and brought it even more 
so to our attention, not only to the panelists, but to Members of 
Congress when we had that briefing. We have a responsibility in 
a bipartisan way to do everything we can to protect the American 
people. 

First and foremost, when you look at 25 nations that have cyber 
warfare programs out there, it causes me great concern. And Mr. 
Weiss, you mentioned other vulnerabilities. My question was going 
to be — and I do want to ask a question about NIST, if I can, as 
well. But as I said to the prior panel, some credit deserves to be 
made to Idaho National Lab and DHS for actually proactively find- 
ing a vulnerability, then fixing it, then mitigating it. 

Mr. Weiss. Absolutely. 

Mr. McCaul. But there are other vulnerabilities. 

To the extent you can comment on those, Mr. Weiss, can you tell 
us what those are? And what do we need to be doing at the Federal 
level in the government to address those in the most practical way? 

Mr. Weiss. Again, following up on what you just said, the Idaho 
National Lab and, for that matter, the other national labs have 
been doing this type of research for several years. Aurora, because 
it actually showed damage to equipment, is the first one that, if 
you will, really made a splash. But they have shown that you could 
damage equipment, that you can open valves, that you can open 
and close breakers. They have been showing that for the past 3por 
4|iyears; it just hasn’t gotten the attention it has needed. 

Part of the issue that we have is in the control systems world, 
we have designed our systems for performance, and we have never 
assumed anybody would intentionally want to do harm. And so 
when I talk to people, it is the people that, if you will, own these 
systems that are the most knowledgeable, and if they thought 
about it, could cause the greatest harm. They are the people we 
need at the table because they could come up with, if you will, the 
worst cases and the things we really need to address. 

Mr. McCaul. Of course, any country that has that capability also 
could use it against us. 

Mr. Weiss. Sure. 

Mr. McCaul. And has a mitigation strategy with respect to au- 
rora helped protect us from some of these other vulnerabilities in 
these other areas? 

Mr. Weiss. It can because part of what aurora did was look at 
a remote access vulnerability. That covers more than just aurora. 
So in that sense, it has done, incrementally, good. There are other 
things out there, there are other vulnerabilities that are totally 
independent, if you will, of the aurora vulnerability. 

Mr. McCaul. That was sort of in my thoughts as well. 

We sent a letter, a bipartisan letter, basically stating that we be- 
lieve that the reliability of the Nation’s bulk power system, BPS, 
would be better protected by a cybersecurity standard that incor- 
porates additional security measures of the National Institute of 
Standards and Technology under the special publication 800-53. 

Where are you three on this? 
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Mr. Weiss. Well, I have to be a bit careful because I was part 
of the process. What I can tell you is what we did. 

We had a member from the NERC drafting team, myself, some- 
body from MITRE and several people from NIST where we went 
and we spent 2, 3 days going through, line by line, the comparison 
between the NERC CIPs and 800-53; and in addition to that, look- 
ing at 800-53 to make sure we are extended to cover control sys- 
tems. 

What NIST then did is, it held several meetings with Federal 
agencies that were bound by Federal law to use that. So they also 
got feedback coming in from the end-users. 

I believe personally that the — like I say, I am biased — I believe, 
far and away, that is the best document that is out there. And it 
does one other thing I would like to make a point of 

One of the biggest problems we have today is a conflict between 
the IT organization and the control systems organizations, that is, 
throughout any industry or any company. The NIST document is 
about the only one that can address it because it is the only docu- 
ment that essentially was IT to start with. So IT is there, and it 
has now been extended to cover control systems. So we have one 
document that both organizations can share or have to share. 

Mr. McCaul. And Mr. Whiteley? 

Mr. Whiteley. Well, certainly I would suggest that the CIP 
standards that we filed with the Commission are simply a starting 
point. And I think I have referenced that in my testimony. That it 
is a good starting point, and our intention is to make them better 
as time goes on. 

Certainly, the evidence that NIST standards may be more appli- 
cable today to control systems than they were when these were 
originally drafted and that there is additional guidance from the 
cybersecurity community, it would be very appropriate for us to put 
them back through our standards process and make appropriate re- 
visions. 

And, in fact, I can tell you that in our normal cycle of revising 
our standards, the cybersecurity standards are already in our work 
plan within the next 3|iyears for their first round of revisions, and 
they haven’t even been approved yet. So we know they will get bet- 
ter; they have to get better over time. 

Mr. McCaul. Mr. McClelland. 

Mr. McClelland. I should begin by explaining, or at least clari- 
fying, the Commission’s authority. The Commission can approve a 
proposed — the Commission can’t author a reliability standard; it 
can only approve or remand a reliability standard. Simultaneous 
with the approval, the Commission can call for immediate modifica- 
tions to the standard. 

The comments we received from Congress ask us to consider the 
NIST standards instead of the CIP standards the Commission had 
proposed in its Notice of Proposed Rulemaking. Understanding the 
Commission could not substitute the standards for the CIP stand- 
ards, the Commission proposed to evaluate NERC on its perform- 
ance by NERC’s evaluation of the NIST standards. 

There are entities, such as TVA, that will be under both NIST 
and CIP standards. The best elements of the NIST standards can 
and should be incorporated into the CIP standards. If the ERO 
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doesn’t initiate that motion on its own, the Commission can and 
will initiate that motion. 

I should also say that the CIP standards in their current state, 
the Commission is concerned. There are exclusions for reasonable 
business judgment. There are also exclusions for technical feasi- 
bility. An example would be if a piece of equipment is not capable 
of accepting a multicharacter password, a longer password with 
multicharacters, one might be able to claim under the current CIP 
standards that it is not technically feasible and be excused from 
that requirement. 

So the Commission has expressed these concerns and is pro- 
posing to call for immediate modifications to the CIP standards. So 
on that basis, the CIP standards in their current form, the Com- 
mission feels needs improvement. 

Mr. McCaul. Okay. Thank you very much. 

Thank you, Mr. Chairman. 

Mr. Langevin. I thank the gentleman. And just as a follow up 
to Mr. McCaul’s questions, a comment with respect to the vulner- 
ability discovered in control systems, the aurora issue in particular. 

I just wanted to mention how important Mike Assanty and Barry 
Coonley, Idaho National Labs, were to this effort, very critical to 
this effort. Talk about two guys thinking outside the box and dis- 
covered this problem. They did a — as far as I am concerned, a great 
service to the Nation and should be applauded for their hard work. 
And I received their brief back in January, as did the Department 
of Homeland Security, and then we got the committee briefing to 
this as well. And again, it did a great service to the country on this 
issue. 

With that, the Chair now recognizes the gentlewoman from Cali- 
fornia, Ms. Lofgren, for 5 minutes. 

Ms. Lofgren. Thank you, Mr. Chairman. 

Mr. Weiss, I mentioned earlier, when you were in the audience, 
it is nice to see you in a room instead of on a plane like we usually 
do. And I am glad that you were able to come out and share your 
thoughts, which are very helpful. 

In the first panel, one of my colleagues asked how much more it 
would cost if the NIST standards were adopted instead of NERC. 
Do you have an opinion on what that cost would be, what the incre- 
ment would be? 

Mr. Weiss. The issue — it is a two-part answer. If the NERC CIPs 
were to cover as comprehensive a scope as the NIST standard, 
there would be no incremental cost. 

The incremental cost is because, with the NERC’s CIP standards, 
utilities can exclude 

Ms. Lofgren. Right. 

Mr. Weiss. — all kinds of equipment. 

Ms. Lofgren. Well, let’s assume — I mean, the defects have been 
outlined by GAO and yourself in terms of scope. So let’s use that 
as the baseline. 

Mr. Weiss. Yeah. Then the answer, there should be really no dif- 
ference, because what you are talking about is doing a cyber secu- 
rity assessment. And if you meet what would be a good, com- 
prehensive cybersecurity assessment, it should be with either one. 
So there really shouldn’t be any incremental cost. 
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Ms. Lofgren. I have a question, and I guess it is for FERC be- 
cause we have struggled now with this whole cybersecurity expo- 
sure issue for a considerable period of time; and I must say that 
despite sustained interest, I am not yet convinced that we have 
made the progress that we should have. 

And the question is, who is going to have the responsibility to in- 
sist? And especially — you know, it is one thing for the Federal Gov- 
ernment, that is not necessarily in a lead position technologically, 
to come into the tech sector and say, you have got to do this, be- 
cause we probably don’t know what we are talking about. 

But it is quite a different thing to insist that at least industries 
that are not the tech industry use what is available and what is 
identified. 

And we heard earlier today that our assistant secretary doesn’t 
have the authority really to insist; and you are saying you don’t 
have the ability really to insist. I have a sense of urgency about 
this, and I don’t feel that sense of urgency from the testimony. 

So the question is, you know, maybe one structure would be — 
and we are going to have — Mr. Garcia is going to get back to us. 
But when you have an assessment here such as we have now from 
NIST, and you know, I think they are widely acknowledged as a 
pretty reputable and efficient organization — you know, shouldn’t 
we have the cybersecurity division have the ability to go to the reg- 
ulator — for example, yourself in this case — and say, this has got to 
be done in this time frame for the national security? 

Mr. McClelland. The Commission does have the ability to com- 
pel the return of a reliability standard within a predetermined pe- 
riod of time. It can be within days, if such urgency exists. 

The difficulty when it involves national security issues, which I 
mentioned in the opening statement, is that the process is open 
and inclusive. It is participatory. 

So folks are convened. They vote for a standard. They return the 
standard. 

Ms. Loegren. I understand. 

Mr. McClelland. The Commission then solicits comments. The 
Commission goes through Notice of a Proposed Rulemaking, con- 
siders the comments and then issues a final rule. 

The cybersecurity provisions, however, were part of the Energy 
Policy Act, and they are the Commission’s responsibility. With that 
in mind, the Commission now is actively reviewing its options in 
light of its authority and in light of recent developments. 

Ms. Lofgren. Well, I guess you know I just feel some sense of 
frustration because, as Mr. Weiss has outlined — and we don’t want 
to go into all the details here; I mean, some of these vulnerabilities 
have been well known for some time. And if you take a look at the 
interconnection and cascading catastrophe that we are open to — 
and we haven’t done anything about it; we haven’t done anything 
about it in 4 or 5 years. And I just can’t understand why. 

And, you know, it is not something the Congress can enact be- 
cause the vulnerabilities change as the technology does to some ex- 
tent, although the stuff that we never fixed remains vulnerable. 

You know, it has really got to be done administratively, and yet 
here we are just as bare as we ever were. And I just feel — you 
know, how do we instill a sense of urgency here? 


VerDate Nov 24 2008 13:19 Sep 04, 2009 Jkt 000000 PO 00000 Frm 00067 Fmt 6633 Sfmt 6601 H:\DOCS\110-HRGS\110-78\48973.TXT MSEC PsN: DIANE 



64 


Mr. McClelland. The aurora issue has heightened the sense of 
urgency. And, again, the Commission can compel a reliability 
standard. But it cannot compel action of users, owners and opera- 
tors without a reliability — or it is not clear that the Commission 
can compel action of users, owners and operators without a reli- 
ability standard to base it on. 

The process itself is open and inclusive. So, there again, I under- 
stand your concern, and there is a tension between an open and in- 
clusive process. 

Ms. Lofgren. Well, I wonder if — I know my time is up, Mr. 
Chairman — but if you could get back to us on any suggestions that 
you would make for something like this. Because you know, we are 
all for openness, we are all for a process, and there is a role for 
that. But I don’t particularly think that the energy sector is nec- 
essarily, you know, the leading edge on cybersecurity. 

And we have a roadmap. And aurora was spectacular. I want to 
give credit to people who took action. 

But there are things that Mr. Weiss has said, incidents and 
things that haven’t even been reported, that if you look at the im- 
plications could be as dire or worse. They are out there, and they 
have not been attended to, and I don’t see any plan to attend to 
them. 

Mr. McClelland. We will be delighted to work with your staff 
on that information. Thank you. 

Ms. Lofgren. Thank you very much. 

Mr. Langevin. I thank the gentlelady. 

The Chair now recognizes the gentleman from Texas, Mr. Green, 
for 5 minutes. 

Mr. Green. Thank you, Mr. Chairman. I thank you and the 
ranking member for convening this meeting. 

I suppose I should say, in a sense, thank God for CNN, because 
CNN has made what was clear to some transpicuously clear to oth- 
ers. They brought great popularity to this issue. And I suppose at 
some point we have to ask ourselves, is there anything in that 
CNN report that we take issue with? 

Dr. Weiss, is there anything in that report that you take issue 
with? 

Mr. Weiss. No, there isn’t. I thought it was well done. 

The other thing I thought was well done is, the real details of 
the vulnerability were really not made public to those that we don’t 
want to know about them. 

Mr. Green. Yes, sir. 

Does anyone take issue with any aspect of the CNN report. 

Mr. Whiteley. I certainly don’t take issue with the CNN report 
on its face. 

I just will point out that NERC has responsibly developed and 
filed with the Commission for approval CIP standards that will ex- 
pand the cybersecurity protection of critical assets, as was exposed 
in the aurora videos. 

Mr. Green. And Mr. McClelland? 

Mr. McClelland. No, sir. 

Mr. Green. Mr. McClelland, am I pronouncing that correctly, 
sir? 

Mr. McClelland. It is McClelland. 
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Mr. Green. All right. Mr. McClelland, you indicated that it may 
take you a while to determine whether you need additional author- 
ity, or “new authority” I think is a term that you used. Is this cor- 
rect? 

Mr. McClelland. We are in the process of making those deci- 
sions now. We are evaluating our options under our authority in 
215. 

Mr. Green. Yes, sir. 

Mr. McClelland. I don’t know that I would say “a while,” Rep- 
resentative, but we are evaluating. 

Mr. Green. In Texas, we call this “fixin’ to do” something. And 
about how long will you be fixing to do this? 

The CNN report causes my constituents to have a great degree 
of consternation. So about how long do you think it will take before 
you can announce whether you need new authority? And if indeed 
you do, what new authority do you need? 

Mr. McClelland. This is a difficult answer to provide, but I will 
put it forward. 

As a staff member of the Commission, I cannot reveal pending 
Commission actions. I can say matters are under consideration. I 
can say they are important to the Commission. And I can say we 
are working diligently on them. But I cannot say that the Commis- 
sion will take action within some period of time. 

Mr. Green. Well, that is understandable. 

I must tell you, I am appreciative that you did not use the words, 
“all deliberate speed" — for obvious reasons, hopefully. 

Let me go to the next question. You said that you need more en- 
gineers. 

Mr. McClelland. Yes, sir. 

Mr. Green. You did not say how many more. So how many? 

Mr. McClelland. The Commission has asked for an additional — 
a supplemental request in the 2008 budget for $9 million. The $9 
million would be allocated towards 55 full-time employees. The ma- 
jority of those employees would be engineers and bulk power sys- 
tem experts. 

There are also auditors and some lawyers in the allocations. 

Mr. Green. This will give you the number that you will need? 
Or will this give you a number that will benefit you? 

Mr. McClelland. The Commission’s authority changed substan- 
tially with EPAct 2005. For the first time, the Commission had di- 
rect authority over the reliability of the bulk power system. 

That said, we are discovering — or we are now verifying, we are 
documenting needs for personnel. 

Mr. Green. I have to ask you — let me just say this, sometimes 
when persons finish, I don’t know whether they said “yes” or “no.” 

Mr. McClelland. I understand. 

Mr. Green. May I just ask you again? And you would kindly give 
me a “yes” or “no”? 

Will this give you the number that you need? Or will this give 
you a number that will be of benefit to you? 

Mr. McClelland. It will be a number of benefit, subject to fur- 
ther review. 
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Mr. Green. Well, we will be honored to know the number that 
you will need, because if there is a need, I think we want to make 
sure that the need is met. Because this is critical. 

Final question. Dr. Weiss — and may I call you Doctor? 

Mr. Weiss. It is actually Mister. 

Mr. Green. You look like a Doctor, so you are promoted today. 

Dr. Weiss has indicated that ERO should be funded by the gov- 
ernment. Is that what you said. Dr. Weiss? 

Mr. Weiss. Yes. Yes. 

Mr. Green. All right. 

Let me ask you, friends, does anyone differ with Dr. Weiss on his 
basic premise that the ERO should be funded by the government? 

Mr. Whiteley. NERC’s position is that the present funding 
mechanism, which is to take NERC’s expenses and divide them 
equally amongst all users of electricity in the United States on a 
net-energy-for-load basis is reasonable and appropriate. 

Mr. McClelland. I agree that at this time the Commission 
couldn’t support the proposition that the ERO should be funded by 
the government. So I agree that the current funding mechanism is 
acceptable. 

Mr. Green. If I may, Mr. Chairman — Dr. Weiss, you will have 
the last word from me, anyway. 

Give the rationale for having the government fund it, please. 

Mr. Weiss. Eor the simple fact that if the industry funds them, 
they are an industry-driven organization. 

My concern, when you look at this — I mean, just the fact that 
NERC sent detailed rebuttal comments to the FERC NOPR, my 
view is that the ERO should be like in the nuclear world where you 
have INPO, the Institute for Nuclear Power Operations, that it 
should be an organization looking out for the public good, not for 
the industry good. So if it were funded by the government, not by 
industry, it would not be beholden to have to come up with rec- 
ommendations that meet industry needs. 

That is where I was coming from. 

Mr. Green. Thank you, Mr. Chairman. I owe you 1 minute and 
21 seconds. 

Mr. Langevin. I am calculating now. The Chair now recognizes 
the gentleman from New Jersey, Mr. Pascrell, for 5 minutes. 

Mr. Pascrell. Mr. Chairman, if there is any history here, and 
you know history tells tales about the Federal Energy Regulatory 
Commission. I know, Mr. McClelland, you are not on board too 
long, but my relationship with FERC has not been a good one. I 
had to drag 10 Congressmen from both sides of the aisle down 
there to stop an impending move 4 years ago, 5 years ago, which 
was successful, plus we all joined together in this. And FERC could 
not define what its responsibilities were. 

If you remember at the end of the 90s and the early part of this 
century, FERC was trying to disassociate itself from any responsi- 
bility it had in the marketplace with energy problems. So this is 
not hyperbole here. I am not making this stuff up. There was quite 
a clash and conflict in the Congress’ ability to have oversight of 
FERC, is something that we need to take a look at another time. 

So when I hear the answers to the questions and when I read 
carefully your testimony, there is a lot of ifs in here, and I don’t 
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know when these things are going to he accomplished. And I agree 
with the gentlelady from California that I don’t see or hear any 
sense of urgency. 

This is critical, I think you would agree. You have a great back- 
ground, so I hope you will bring some sensibility to what I consider 
an organization that has been dysfunctional for many years. And 
I don’t want to go into the people who were put on there, because 
you don’t want to hear that now. 

Mr. Weiss, your testimony is quite interesting here. You know 
that NERC and FERC have been talking to each other, they have 
had a good relationship. We hope what will come out of that is 
pretty quickly some standards that we can agree on. 

And I am sure, Mr. McClelland, that you couldn’t answer the 
question for the gentleman from Texas, but you are going to go 
back to your superiors, get an answer to that question and give it 
to the committee if it is at all possible. I mean for you to tell us 
that you can’t tell this committee when you are going to come forth 
with action. We didn’t even ask you what the action was. You 
know, I find that to be very interesting. Boy, if that isn’t political 
jargon down in Washington, D.C., I don’t know what is. That is un- 
acceptable to this chairman. 

Mr. Weiss, I want to ask you this, as the NERC CIP standards, 
those infrastructure standards that we have talked about here 
today, you said as they moved to their final revision the focus was 
shifted entirely to bulk power grid reliability. 

Mr. Weiss. Yes. 

Mr. Pascrell. In and of itself. 

Mr. Weiss. Yes. 

Mr. Pascrell. Rather than on societal welfare. That is a power- 
ful statement there. That is my words. 

Mr. Weiss. Yes. 

Mr. Pascrell. In safety from a Homeland Security or economic 
perspective, the reliable operation — I think this is an example you 
give of a small substation that supports a major oil or gas pipeline 
in a remote local is not salient to grid stability, but failure of same 
could very well have profound adverse consequences for the health 
of the United States economy. Would you explain that? 

Mr. Weiss. Yes. 

Mr. Pascrell. That a pretty potent statement you made. 

Mr. Weiss. In fact, that was one of the two examples I could 
bring. But the point is for the bulk power grid the loss of a par- 
ticular power plant or a particular substation will have no impact, 
if you will, on that local power grid. But if that particular sub- 
station or that particular power plant is providing the power to a 
natural gas pumping station, I know of one, for example, that pro- 
vides about 60 percent of the natural gas to the entire northeastern 
United States. But that plant is in a sense meaningless to the local 
grid. 

Mr. Pascrell. Right. 

Mr. Weiss. But if you lose that pumping station, you have lost 
all your natural gas. 

Mr. Pascrell. Right. 

Mr. Weiss. So what is happening is in version 3 of the NERC 
CIPs, version 4 was the one that was finally accepted. In version 
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3 it had, I believe, either three or four criterion. One was bulk elec- 
tric, the other was economy, and there was also health and safety. 
All of those were explicitly in version 3 of the NERC CIPs and then 
also removed as it went to version 4. 

Mr. Pascrell. Why? 

Mr. Weiss. I can’t explain that. 

Mr. Pascrell. Well, who removed this? 

Gentlemen? Mr. Whiteley, who removed them and why? 

Mr. Whiteley. My understanding is that the changes that are 
made through the standard drafting process are made by the 
standard drafting team, which is comprised of the industry experts 
in the area that is being developed into a standard. And it was 
their judgment to make the revisions, whatever they were in to 
from version 3 to version 4, and eventually now that standard, rec- 
ognizing that the authority that NERC has is limited to the bulk 
power system and that is a very 

Mr. Pascrell. Your power is limited and EERC’s power is lim- 
ited, and we are talking about societal welfare, we are talking 
about the health of our community, the safety of the community, 
and you take all of those out before the final report. That to me 
makes no sense and we can’t find out who took it out. 

Can I ask one more question? 

Thank you. Why wasn’t the blackout report included in the final 
report, as you point out, Mr. Weiss, when we were dealing with 
NERC and CIP standards? Why was that taken out, Mr. Weiss? 

Mr. Weiss. I don’t know. 

Mr. Pascrell. That wasn’t in there either. Give us some options 
why was it taken out? Come on, let’s get to the meat and potatoes 
here. Why was it taken out? Who took it out? Give us some ideas 
of why. 

Mr. Weiss. I can only tell you I was not on the drafting team. 
The comments that I put out, that ISA put out, were not accepted. 
That is all I can say. 

Mr. Pascrell. Well, we know why they weren’t accepted. 

Mr. Chairman, I think I have heard some interesting things this 
afternoon, and I think that this committee with your leadership 
and Michael’s leadership and Mr. McCaul from Texas’ leadership, 
I think we can get to the bottom of this. I am telling you, Mr. 
Chairman, nothing is going to get done if we leave it to chance. 
EERC is not a responsible public entity. It will not be until it is 
pushed by this Congress. 

Thank you, Mr. Chairman. 

Mr. Langevin. I thank the gentleman for his questions and his 
comments, and I can assure you and the other members of the com- 
mittee that the ranking member and I will continue, we are very 
close to this, and this is not the last hearing of its kind on the issue 
of cyber security. Whether it is Aurora or other security 
vulnerabilities, this is one of many where I plan to exercise intense 
oversight. And I thank the gentleman for his passion. As usual, it 
is great to have you back on the committee. 

The Chair now recognizes Mr. Etheridge for 5. 

Mr. Etheridge. Thank you, Mr. Chairman, I am going to follow 
some of that same line for just a minute in a little different way. 
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In 1996, power was out across a wide range of western States be- 
cause, as I remember, a squirrel got burned out on a transformer 
at a very crucial time. And then in 1998 there were two power fail- 
ures. An ice storm took out power in eastern Canada and the 
United States. New Zealand lost power, as I remember, for a couple 
of months due to a transmission line failure. 

2003, a blackout covered much of northeastern United States, 
and that was caused by failure of a transmission line, as I remem- 
ber, in Cleveland. It sort of cascaded across a whole host of areas. 
And the interconnectivity of the nature of the grid means that a 
single point can have a significant impact. 

So let me ask my question this way. Some of the testimony of 
folks here is that the possibility of a coordinated attack on multiple 
control systems can be a devastating event. Can we all agree with 
that? 

Mr. McClelland. Yes. 

Mr. Whiteley. [Nonverbal response.] 

Mr. Weiss. [Nonverbal response.] 

Mr. Etheridge. Would a massive effort be required to have a 
large impact. 

Mr. Whiteley. Massive effort and large impact. It would be a 
significant effort to attack all of those cyber assets simultaneously. 
Is it hypothetically possible? I presume so. 

Mr. Etheridge. Well, I raise that question because if a squirrel 
can have that kind of impact, a squirrel is not very high tech. I 
mean I am not trying to be funny; I am being very deadly serious 
about this issue. 

Mr. Whiteley. And if I can respond on the blackouts or outages 
that you have talked about, in each of those cases there is a single 
failure that leads back to other failures of the system. And that is 
precisely why the standards that we put forward, and many of 
which are now actually mandatory and enforceable, address issues 
like vegetation management so that the trees don’t grow into the 
lines. And when there are single points of failure that they don’t 
cascade 

Mr. Etheridge. Okay. 

Mr. Whiteley. So we are addressing them in our existing stand- 
ards. 

Mr. Etheridge. Okay, I understand that. Well, how likely is it 
that a single cyber attack on a control system could take out a re- 
gional power system that then would have a major impact? 

Mr. Weiss. Let me try and answer it this way, a cyber event can 
be targeting multiple systems at one time. So part of what I am 
asking, I am not trying to be too much of an engineer, but the issue 
is you are talking about targeting multiple entities, and it is also 
a function of when you do it. If you do it during the summer when 
the system is at its highest stress, and systems are out, it won’t 
take that many more systems to create a larger failure. When the 
system isn’t stressed as much, it would take more. 

Just so you know, 4 years ago I gave a presentation at the Geor- 
gia Tech Protective Relay Conference. It was kind of a precursor 
to Aurora. It was essentially laying out a scenario that I ran by 
Sandia, Idaho, and PNNL as well as several other utilities, how 
simply using cyber alone you could bring the grid down for a sig- 
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nificant time, strictly on the transmission and distribution side. 
Fairly simple. Can you do it? Yes. 

Mr. Etheridge. Well, that leads to the next question then, some- 
what similar. You said you can, but I guess my question is are con- 
trol systems within the distribution grid that vulnerable to attack? 
And if so, what effect might that attack have and how catastrophic 
could it potentially be? I think that is important for us to have 
some sense of in this committee. 

Mr. Whiteley. I will just add from NERC’s standpoint distribu- 
tion systems are outside of our purview. However, you are talking 
about very similar kinds of systems that utilities protect in a very 
similar kind of manner. And if they are protecting their trans- 
mission assets, they are also protecting their distribution assets. 

Mr. McClelland. I would like to add to that. I didn’t under- 
stand the question to be distribution assets per se, but the wires 
associated with a bulk power system. Again to echo Mr. Weiss’s 
comment, it would depend on the unit, how large is the generating 
unit that is being attacked or what is the combination of output 
from those generating units, what is the peak load on the system 
at the time, how sophisticated is the adversary. 

There is a level of sophistication in order to be able to pull off 
a coordinated cyber attack against critical facilities in a critical 
time. And then to also say, perhaps take Mr. Whitely’s comment 
and put that forward and put a twist on it, the level of cyber pro- 
tection that one exercises is critical. The harder it is to penetrate 
someone’s assets, there are easier targets around the corner. 

So if the basic level of cyber protection is elevated, if the CIP 
standards are in place and the requirements are passed as manda- 
tory and enforced or with real penalties behind those, one would 
expect the level of compliance to rise and make it more difficult but 
not impossible for a sophisticated adversary to carry out an attack 
against the bulk power system. So the threat is real. 

Mr. Weiss. Can I add one other point? 

Mr. Etheridge. Please. 

Mr. Weiss. It is the reason why I have been talking about dis- 
tribution. Distribution is normally outside the purview, but there 
are two issues here. One is it is generally where money is being 
spent to upgrade the systems. And so they are going from the old, 
if you will, cyber dumb to very cyber alive systems. 

The second point is those distribution systems electronically talk 
to transmission. In the past when you dealt with reliability you 
generally dealt with each one individually. The point about cyber 
is they talk to each other. That is what is so different here, the 
silos don’t work anymore. So that is why market systems all of a 
sudden become an issue. They talk to SCADA systems. It is why 
telecom is important. It is why small facilities are important. It is, 
if you will, what happened on 9/11. The hijackers that came into 
Boston that boarded the plane did not board it from Boston, they 
boarded it from a smaller airport. If you don’t take care of the 
smaller, the bigger is going to be a vehicle. 

Mr. Etheridge. Thank you, Mr. Chairman. I appreciate your in- 
dulgence. I yield back. 
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Mr. Langevin. I thank the gentleman and, in consultation with 
the ranking member, we are going to ask each one question before 
we conclude. 

And with respect to the distribution system, this is a timely 
question, can the panel answer this, under a future regime after 
the NERC standards are adopted, NERC will be able to regulate 
companies who don’t comply with approved cyber standards, but as 
we pointed out in the committee’s comments, NERC’s definitions 
will exclude a lot of critical assets. 

The way I read the NERC definition, the assets at issue in the 
Aurora vulnerability would not be considered critical assets. In 
other words, you have major vulnerability out there, but NERC 
isn’t going to able to regulate the mitigation efforts of the industry 
even after the standards are passed. 

Can the panel provide feedback on my interpretation? 

Mr. Whiteley. Perhaps I can start and maybe clarify my earlier 
comment, that it is certainly NERC’s intention to reach through to 
any part of any system that has to do ultimately with reliability 
of the bulk power system. And if that means that something that 
is in an individual residence somehow is connected to the system 
that would threaten the bulk power system, then certainly we 
would use all of our authorities that we have to reach through and 
assure reliability and protection of those assets. 

So from the standpoint of distribution or not, yes, if indeed the 
case is there, what the situation is is the line is drawn between dis- 
tribution and transmission and that is where essentially the sys- 
tem stops the issue that may come up from the distribution system. 
But if indeed there is a problem on the distribution system, it 
would be our intention to use whatever authority we have to reach 
those issues, those problems, because they affect the bulk power 
system and that is within our purview. 

Mr. Langevin. But even if you wanted to, is NERC going to have 
the ability to actually have some teeth in that regulation or is it 
some other entity that has to impose it? 

Mr. Whiteley. In our view, if it impacts the reliability of the 
bulk power system, then we can reach it. 

Mr. Langevin. Other members of the panel? 

Mr. McClelland. I agree to your point about critical assets. 
Again this was a major point in the Commission’s notice for pro- 
posed rulemaking. The Commission thought and expresses and pro- 
poses therefore to direct NERC to develop a risk-based assessment 
to provide guidelines to industry to help standardize or at least put 
commonality in the definition of critical based assets. 

In addition, the Commission has proposed to direct NERC that 
all critical assets be submitted on a regional basis. In other words, 
the folks within a reliability coordinator’s area or regional entities 
area would have to determine what the critical assets were, submit 
it to that entity, and then those lists would be subject to the Com- 
mission’s review. 

So we share your concern concerning the determination of critical 
assets and propose to tighten the definition of critical assets signifi- 
cantly. 

Mr. Langevin. Thanks. Mr. Weiss, any final thought? 

Mr. Weiss. [Nonverbal response.] 
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Mr. Langevin. Thank you. The Chair now yields to the ranking 
memher. 

Mr. McCaul. Thank you, Mr. Chairman. A two-part question to 
the panel as a whole, the Information Sharing Analysis Centers, or 
ISACs, coordination with the private sector. I think it really pivots 
on the ability of the private sector wanting to share the informa- 
tion. Do you believe that under current law there are enough pro- 
tections for private industry to do so? I mean recognizing that a 
company is not going to want to share the fact that they are vul- 
nerable. They have a fiduciary duty to their shareholders that 
could obviously impact the company. Under current law, are there 
enough protections in place so that they will freely share that infor- 
mation? 

And then the second part of my question is with respect to the 
Department of Defense we have a cyber warfare program. It seems 
to me there is great expertise in the U.S. military in terms of how 
somebody else could penetrate us; in addition, how we would better 
work hopefully with the DOD to better protect our critical infra- 
structure. Is that currently happening? I know I am throwing out 
two questions at you, but if could you tackle those. 

Mr. Whiteley. Well, the answer to the first question is at least 
it has been our experience that we are not having, we, NERC, are 
not having trouble receiving information from users, owners and 
operators when we ask the questions of how they are complying 
with standards that are in place or gaining information on our as- 
sessments so that we do overall reliability, all the way through into 
the alerts that have been put out. So far the history has been that 
we have not run into a significant problem along those lines. 

On the second part, I am not directly aware whether or not we 
have engaged DOD in any kind of liaison or not. We can certainly 
get back to you on that and explain what level. 

Mr. McCaul. Mr. Weiss may have more expertise on that issue. 

Mr. Weiss. Let me try and answer both of the questions you 
asked. The first one I would actually modify a little bit, is there 
an incentive for industry to share that information? And one of the 
things that is happening is there has been very little, and that is 
why there has been very little of that information shared. Like I 
say, my database I have got, you know, 90 cases. There are not 90 
cases, these are just control systems. None of these are IT. You 
don’t have 90 cases in the ES, ISAC or any of the other ISACs. 
Part of it is there needs to be the expertise with the ISACs to deal 
with control systems and generally they are not there. 

Like I said, the other thing is the incentive, why would an entity 
want to provide that information, even if they had it, because the 
other point is that a lot of these events are not even identified or 
known to be cyber. It is one thing for the light to go out, it is an- 
other for someone to realize it was cyber for why it occurred. Let 
me start with that. 

The second thing, dealing with DOD, I have had a little bit of 
dealings, I have given a lecture at the naval post-grad school in 
Monterey. It was kind of interesting because they hadn’t really 
been focusing on protecting cyber assets, they were looking at at- 
tacking the cyber assets. There is a big difference between protec- 
tion and defense. What we need here is the defense. 
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And the other point I want to make is our systems in the com- 
mercial world, he they electric, chemicals, you name it, are dif- 
ferent than DOD. I came from that after having come from nuclear. 
If you have got cyher safety-related equipment, that is very much 
more expensive, very different than is used elsewhere. So part of 
this is how do we get DOD working with us, and we kind of have 
in the sense that right now there is an individual who used to he 
on the DOD side who is now on the regulatory side. 

Mr. McCaul. It seems to me you are relying a lot on Sandia and 
Idaho National Lab. We have a cyber warfare program that knows 
how to attack, and it seems to me they would know best, you know, 
in learning where to penetrate than equally where how we can de- 
fend. This is in my view. 

Mr. Weiss. The only reason, again, I don’t mean to be technical 
about this, but the systems that are used in the commercial-indus- 
trial world are different than IT systems and they are different 
than DOD systems. What DOD is used to in terms of trying to 
mitigate what they would do we don’t have. And honestly if we 
tried to put them in, it would probably hurt us very, very deeply 
in terms of how these systems can perform. So it is not as straight- 
forward as most people would like it to be. 

Mr. McCaul. That is insightful. Mr. McClelland? 

Mr. McClelland. The current process is open and inclusive. In 
order to compel entities to abide by reliability standards they have 
to be developed in an open, inclusive process. There is a conflict 
with national security issues. So if there is an issue such as Au- 
rora, there is a concern if the mitigation measures are disclosed too 
fully and the information is disclosed publicly would you have done 
more harm than good. If we received mitigation plans, we send an 
agency mitigation plan for specifics in order that they can audit or 
they can determine compliance with a standard, will that informa- 
tion then be subject to public disclosure? That is a real concern and 
it is the intention of the Federal Power Act. Section 215 has 
worked very well for us to establish an ERO, to approve and cri- 
tique reliability standards and check some or pen some in some 
cases and also to certify the regional entities to assist the ERO. 
When it comes to national security issues, this is an important sub- 
ject. It is critical and it is under review, and we will move forward 
on this issue. 

Mr. McCaul. I thank you, Mr. Chairman. 

Mr. Langevin. I thank the gentleman. Does the gentleman from 
New Jersey have any final questions? 

Mr. Pascrell. Yes, sir. 

I want to thank the gentlemen for their patience this afternoon. 
I have a question that I hope you all would respond to. I want to 
talk about the 2003 northeast blackout. That blackout was a mas- 
sive power outage that occurred through parts of the northeast and 
the midwestern United States and Ontario, Canada in August of 
2003, August the 14th. It was the largest blackout in North Amer- 
ican history. It affected 10 million people, 10 million people in the 
Province of Ontario, about one-third of the population of Canada, 
40 million people in eight States, which is about one-seventh of the 
total population. This is pretty big. In the end the outage-related 
financial losses were estimated at a staggering $6 billion. 
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My question to all the witnesses is this, really two questions. 
Have we learned all the lessons about our vulnerability from that 
blackout? And part B, do the proposed NERC regulations properly 
take into account those lessons? 

Why don’t we start with Mr. Weiss and go to Mr. Whiteley and 
to Mr. McClelland? 

Mr. Weiss. The NERC or, excuse me, the northeast blackout re- 
port, 13 of the 46 recommendations in that report were cyber. At 
least a couple of them were explicitly excluded from the NERC 
CIPs. 

Mr. Pascrell. Right. 

Mr. Weiss. Wire line, et cetera. I cannot tell you why. I can tell 
you we certainly knew about it. I can also tell you the day of the 
northeast outage was also contemporary with it was the Blaster 
worm and that there was or were other facilities not in the north- 
east that had cyber events that day. You won’t find that in the 
northeast blackout report because they weren’t in the northeast. 

So the issue is have we learned? I don’t believe so. 

Mr. Pascrell. Thank you. Mr. Whiteley? 

Mr. Whiteley. I will address both parts. First, I would respect- 
fully disagree with Mr. Weiss’ connotation that the northeast black- 
out report recommendations on cyber security were not included in 
the CIP standards. I would be happy to get back with you on our 
analysis of those CIP standards and the fact that they addressed 
every one of the blackout recommendations. 

As to the other standards that we have in place, each one of the 
standards, if followed on that day, would have resulted in nothing 
more than a single line outage in northeast Ohio and not a cas- 
cading outage. So I think the evidence is clear that our reliability 
standards, as they have been passed, once the industry follows 
them and we believe the industry is following them to the greatest 
extent, will result in a more reliable system than we had back in 
2003, and yes, we have learned a lot from the 2003 blackout and 
we have taken a lot of action since that time. 

Mr. Pascrell. Thank you. Mr. McClelland. 

Mr. McClelland. If you mean by the question are we finished 
or is it impossible for another blackout like this to happen, will it 
not be prevented? The answer is no. The standards are based on 
a continuing improvement process. The Commission’s responsibility 
is to review those standards and call for modifications or reject the 
standards where the standards are not adequate. 

As an example, NERC submitted 107 reliable standards to the 
Commission for approval. If things were perfect and everything 
was done we would have accepted 107 standards. The Commission 
approved 83 of those standards and called for major or significant 
modifications to 56 of the 83 standards we approved. 

In addition, prior to June 18th, 2007 — the standards became 
mandatory and enforceable on June 18th, 2007. Prior to that time 
there was a period of self-reporting where entities would say, I am 
not in compliance with these standards, I have got some problems, 
some or most of those problems may be characterized as potentially 
having low impact to the bulk power system, but some would have 
a high impact to the bulk power system and be on a parallel with 
the incident that caused the 2003 blackout. 
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The Commission is aware that over 4,000 self-reported violations 
have been reported to NERC, and the Commission is expecting 
mitigation plans to be submitted to correct those self-reported vio- 
lations. The process is not done, blackouts can still occur. There 
has been substantial and significant progress by the industry to try 
to prevent another occurrence, but much work remains to be done. 

Mr. Pascrell. Thank you. Thank you, Mr. Chairman. 

Mr. Langevin. I thank the gentlemen. I want to thank the panel 
for their testimony and the answers you provided to the questions. 
I thought this was very productive. I thought your answers were 
very insightful. It has certainly given us a lot to think about. Clear- 
ly, there is much work to be done and we look forward to continued 
oversight in this area and continued efforts of working with you, 
but you have been very helpful and I do appreciate your testimony. 

Again, I thank the witnesses for the valuable testimony and the 
members for the questions. The members of the subcommittee may 
have additional questions for the witnesses, and we ask that you 
respond as expeditiously in writing to those questions. 

Hearing no further business, the subcommittee stands adjourned. 

[Whereupon, at 5:30 p.m., the subcommittee was adjourned.] 
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Appendix I: Letter from David Whiteley 

COMMITTEE ON HOMELAND SECURITY 


House of Representatives, 
Subcommittee on Emerging Threats, Cybersecurity, 

AND Science and Technology 
Washington, DC, December 12, 2007 

Hon. James R. Langevin: 

Chairman, Committee on Homeland Security, U.S. House of 
Representatives, Washington, D.C. 20515 

Dear Mr . Chairman: In the questions for the record you sub- 
mitted to NERC following the Subcommittee’s October 17, hearing, 
you asked, “What were the results of the August 2007 NERC sur- 
vey sent to owners and operators regarding the status of the sec- 
tor’s implementation of the Aurora mitigation efforts?” I am writing 
to correct any misimpression that my November 20 response may 
have given regarding the timing of the written survey. 

My answer to your question did not make clear that the survey 
of owners and operators regarding the implementation of mitiga- 
tion measures was sent in October 2007, not in august 2007 as in- 
dicated in your question. The response provided a narrative discus- 
sion of the results of the October survey. As you requested, a copy 
of the survey itself, dated October 19, 2007, was included with my 
response. 

I recognize that the way the response was written may inadvert- 
ently appear to confirm that the survey was sent in August. En- 
closed is an amended copy of the response to Question No. 1 that 
clarifies the timing of the written survey. I would be grateful if this 
material could be substituted for my November 20 response to No. 
1 in the written hearing record. 

I apologize for any inconvenience this may have caused. 

Sincerely. 


David A. Whiteley, 
Executive Vice President 
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APPENDIX II: Additional Questions and Responses 


Questions from the Honorable James R. Langevin, Chairman, Subcommittee 
ON Emerging threats, Cybersecurity, and Science and Technology 

Responses from Mr. Greg Garcia 

Question 1.: What percentage of electric sector owners and operators do 
you believe implemented the Aurora recommendations issued by NERC? 

Response: The Electric Sector Information Sharing and Analysis Center (ES- 
ISAC) distributed the advisory to 3,000 electric utilities. As part of individual cor- 
porate risk management and critical infrastructure protection planning efforts. Elec- 
tric Sector owners and operators consider known vulnerabilities and identify and 
implement mitigation activities to address them. It is the responsibility of owners 
and operators to implement the recommendations issued by the North American 
Electric Reliability Corporation. The Department of Homeland Security (DHS) is 
working with the Electric Sector, the Department of Energy (DOE), and the Federal 
Energy Regulatory Commission (FERC) to raise awareness and promote implemen- 
tation of the recommendations. DHS is also working with DOE and FERC to deter- 
mine what actions the private sector has implemented. 

Question 2.: If a cyber exploit of the Aurora vulnerability is imminent, 
how will the Electric Sector ISAC or the Department of Homeland Security 
ensure the immediate implementation of mitigation efforts? 

Response: Under the National Infrastructure Protection Plan (NIPP) Partnership 
Eramework, public — and private-sector security partners collaborate on national 
critical infrastructure protection. The Department of Homeland Security (DHS) cur- 
rently has several mechanisms in place to communicate with vendors, owners, and 
operators to facilitate information sharing about exploits and vulnerabilities, as well 
as incident management and appropriate mitigation efforts. For example, the 
United States Computer Emergency Readiness Team National Cyber Alert System 
facilitates information sharing about vulnerabilities to a broad audience; the Control 
Systems Cyber Security Vendors’ Forum meets monthly to discuss emerging issues 
affecting control systems security; and DHS works directly with the control systems 
stakeholder community to exchange information by leveraging the Protected Critical 
Infrastructure Information program, which safeguards sensitive information shared 
by industry with the government. 

In the case of the Aurora vulnerability, DHS worked with the private sector 
through the NIPP Framework to alert the control systems community. Federal 
agency partners worked with industry technical experts to assess the vulnerability 
and to develop sector-specific mitigation plans. The jointly developed mitigation 
guidance allowed owners and operators within the affected sectors to take deliberate 
and decisive actions to reduce significantly the risk associated with this vulner- 
ability. 

Question 3.: How many program managers have been in charge of the 
Control Systems Security Program in the last 3 years? What was the FY 
2007 budget? Who is in charge of this program, and what grade is that per- 
son? 

Response: Four individuals have served as the National Cyber Security Division 
(NCSD) Control Systems Security Program Director since May 2004. The Program 
Director position, within Cybersecurity and Communications at NPPD, is currently 
vacant and posted at the GS-15 level. In the interim, Cheri McGuire, GS-15, is 
serving as the Acting Control Systems Security Program Director. 

The FY07 budget for the NCSD Control Systems Security Program was $9.3 mil- 
lion. 
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How has your office developed a process to formalize and improve infor- 
mation sharing regarding control system vulnerabilities with critical infra- 
structure owners and operators? 

Response: The Department of Homeland Security (DHS) coordinates efforts 
among Federal, State, and local governments, as well as control systems owners, op- 
erators, and vendors, to improve control systems security within and across all crit- 
ical infrastructure sectors by reducing cyber security vulnerabilities. DHS has devel- 
oped a process to formalize the sharing of sensitive information related to control 
systems vulnerabilities. This process describes the information flow from vulner- 
ability discovery to validation, public and private coordination, and outreach and 
awareness, and also identifies the deliverables and outcomes expected at each step 
in the process. 

The process includes existing entities across the public and private sectors, such 
as the Federal Control Systems Security Working Group, the Process Control Sys- 
tems Forum, Sector Specific Agencies, Government Coordinating Councils and Sec- 
tor Coordinating Councils, the United States Computer Emergency Readiness Team 
(US-CERT), and Information Sharing and Analysis Centers. It also builds on estab- 
lished DHS practices and procedures for the identification, validation, coordination, 
and communication of vulnerabilities across the critical infrastructure and key re- 
sources (CI-KR) spectrum. 

As part of this process, DHS uses three primary mechanisms to communicate vul- 
nerability information about control systems to various stakeholders: 

1. US-CERT shares information about vulnerabilities via several products. 
These products include Vulnerability Notes, which are released on a regular 
basis, and the Quarterly Report on Cyber Vulnerabilities of Potential Risk to 
Control Systems, which includes more detailed analyses of cyber vulnerabilities 
that may impact control systems. 

2. DHS partners with vendors, owners, and operators to perform vulnerability 
assessments of selected systems to identify cyber vulnerabilities based on 
emerging exploits and works with industry to develop mitigation strategies. 
DHS also works with control systems vendors, owners, and operators as they 
share sensitive information through the Protected Critical Infrastructure Infor- 
mation program so that private-sector vulnerability data may be appropriately 
safeguarded. 

3. DHS facilitates information sharing among control systems vendors through 
its sponsorship of the Control Systems Cyber Security Vendors’ Eorum estab- 
lished in 2006. The Forum holds monthly meetings at which control systems 
vendors share information and discuss emerging issues affecting control sys- 
tems security. The Forum has served as a basis for building a trusted informa- 
tion sharing community and comprises more than 90 percent of the vendors who 
manufacture and provide support services to the CI-KR control systems market 
in the U.S. 

Are all government-owned assets eompliant with NIST 800-53 as applied 
to control systems? 

Response: Under the Federal Information Security Management Act, all Federal 
agencies must meet minimum security requirements for information and informa- 
tion systems in accordance with National Institute of Standards and Technology 
(NIST) Special Publication 800-63, Recommended Security Controls for Federal In- 
formation Systems, as amended. NIST 800-53 is currently undergoing revisions to 
include security guidelines specific to control systems. Federal agencies have up to 
one year from the date of final publication to fully comply. DHS is working closely 
with NIST on these revisions. 

Question 4.: According to the GAO, DHS has 13 different initiatives focused on 
securing control systems. The Department of Energy, the Federal Energy Regu- 
latory Commission (FERC), and the National Institute of Standards and Technology 
(NIST) also have initiatives in this field. In 2004, the GAO recommended DHS cre- 
ate an overall strategy to coordinate various control systems activities across federal 
agencies and the private sector. Please provide a copy of this strategy. 

Response: To reduce cyber risks to control systems within and across all critical 
infrastructure sectors, the Department of Homeland Security (DHS) coordinates ef- 
forts among Federal, State, local, and tribal governments, as well as control system 
owners, operators, and vendors. Coordinating efforts to secure control systems is 
paramount to an effective protective posture for all critical infrastructure and key 
resources. 

DHS is working with its partners to baseline activities to serve as the foundation 
for developing a comprehensive strategy that will encompass the public and private 
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sectors, set a vision to secure control systems, describe roles and responsibilities, 
and identify future requirements for resources and actions. 

The Department has developed a timeline to complete this action building on 
work that has already been completed. In the first quarter of Fiscal Year 2008, a 
draft of the Federal sector portion of the strategy will he released for review by gov- 
ernment stakeholders. In cooperation with the Partnership for Critical Infrastruc- 
ture Security, the private industry component will be integrated into the strategy, 
with a draft available for review in the third quarter of FY 2008. After the review 
and comment period is completed, a final comprehensive strategy will be released 
in the first quarter of FY 2009. 

Question 5.: How is the Science and Technology control systems pro- 
gram — Project LOGIIC — being used to help mitigate vulnerabilities in the 
control systems of the oil and gas sector? 

Response: LOGIIC is a collaborative forum for government and industry to focus 
on cyber security issues for the oil and gas industry. Infrastructure owner and oper- 
ator needs determine projects, which are supported by both government and inde- 
pendent experts. Projects examine needs and solutions for correlating and analyzing 
abnormal events to provide indications and warnings of cyber security threats. 
LOGIIC enables informed response to threats by taking corrective action. LOGIIC’s 
goal is to achieve the ability to correlate abnormal events from the process control 
network and its interfaces to the business network with alerts from sources on the 
business network (intrusion detection systems, firewalls, etc.). 

LOGIIC is helping to mitigate vulnerabilities by identif 3 dng and adapting new 
types of security sensors for process control networks, adapting a best-of-breed cor- 
relation engine to this environment, and integrating and demonstrating the tech- 
nology suite in a test hed environment. 

Question 6.: Did the Multi-State Information Sharing and Analysis Center 
(MS-ISAC) receive any more un-obligated funds for FY 2008? 

Response: Yes, the Multi-State Information Sharing and Analysis Center (MS- 
ISAC) received funding using the available Fiscal Year 2007 carryover funds in the 
amount of approximately $1.4 million. 

The MS-ISAC procurement was not awarded by the end of FY 2007 (September 
30, 2007). DHS initiated a replacement procurement action that used both the com- 
mitted $974,849.72 of FY 2007 funds and an additional $465,976.03 of FY 2007 car- 
ryover funds that had not been obligated by the close of FY 2007. FY 2007 carryover 
funds for cyber security are available for obligation until September 30, 2008, as 
stipulated in the DHS Appropriations Act of 2007 (H.R. 5441). 

Questions from the Honorable Michael McCaul, Ranking Member, Sub- 
committee ON Emerging Threats, Cybersecurity, and Science and Tech- 
nology 

Question 7.: I understand there is a hardware device that can be used in con- 
junction with other proposed mitigations that is currently being developed by engi- 
neers out at Idaho National Labs. I have been told that currently only one vendor 
is marketing a hardware fix despite there being multiple vendors that sell this sort 
of equipment. What in your opinion is preventing other vendors from mov- 
ing forward with this mitigation device? Similarly has the department en- 
gaged in any discussion of the use of its authorities granted under the De- 
fense Production Act to ensure that those government customers that need 
these devices are accommodated? 

Response: Battelle Energy Alliance (BEA), the contractor responsible for oper- 
ating the Department of Energy (DOE) Idaho National Laboratory (INL) and owner 
of INL intellectual property, has filed an application with the US Patent and Trade- 
mark Office for a method to mitigate the Aurora vulnerability. Multiple vendors 
have expressed interest in licensing the technology from INL. The technology trans- 
fer process conforms to standards for all DOE National Laboratories. 

Regarding the Defense Production Act (DPA), the Department of Homeland Secu- 
rity has assessed the use of the DPA as a potential avenue for ensuring that certain 
technologies are developed and produced to meet national defense needs, including 
critical infrastructure protection needs; however, at this time the technology nec- 
essary to mitigate the threat related to control systems security is available to cus- 
tomers. A shortage in supply would drive further exploration of the use of the DPA. 

Installing a hardware device with technology licensed from the BEA-pending pat- 
ent can provide critical infrastructure and key resource asset owners and operators 
with endpoint security. The sector-specific mitigation plans, however, are based on 
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industry best practices and contribute to comprehensive risk reduction from cyber 
security vulnerabilities to control systems. 

Question 8.: In Mr. Roxey’s testimony he mentioned the need for teeh- 
nical experts to be engaged from the very start. Sinee the engineers at 
Idaho National Labs discovered this vulnerability have they been involved 
in developing the mitigations and briefing the private sector? 

Response: Yes. Technical experts, including experts from the National Labora- 
tories, supported efforts undertaken by the Sector Coordinating Councils, Informa- 
tion Sharing and Analysis Centers, and the Sector Specific Agencies to develop miti- 
gation plans and provided briefings to critical infrastructure and key resource own- 
ers and operators on the control systems vulnerability. The Department of Energy 
National Laboratories, including the Idaho National Laboratory, provide subject- 
matter expertise to the Department of Homeland Security to improve control sys- 
tems security. 

Question 9.: What is the action plan to minimize overlapping efforts at 
DHS? 

Response: The Department of Homeland Security coordinates efforts among a va- 
riety of stakeholders from both the public and private sectors to secure control sys- 
tems. To prioritize activities and minimize overlapping of efforts, the Department 
is working with its partners to baseline activities to serve as the foundation for de- 
veloping a comprehensive strategy that will encompass the public and private sec- 
tors, set a vision to secure control systems, describe roles and responsibilities, and 
identify future requirements for resources and actions. 

Question 10.: What is being done to utilize private sector companies that 
have significant process control and SCADA cyber security experience to 
assist in the area of critical infrastructure cyber security protection? 

Response: Recognizing the expertise the private sector has to offer, the Depart- 
ment of Homeland Security (DHS) sponsors a number of groups to foster close col- 
laboration and information sharing among the control systems stakeholder commu- 
nity. The Cross Sector Cyber Security Working Group (CSCSWG), which was estab- 
lished in May 2007 by DHS and the Partnership for Critical Infrastructure Security, 
brings together government and private-sector cyber security experts to address sys- 
temic cyber risk collaboratively across the critical infrastructure and key resource 
sectors. The CSCSWG facilitates the sharing of information across the sectors about 
cyber security issues, such as common vulnerabilities and protective measures, as 
well as the policy implications of cross-sector cyber dependencies and interdepend- 
encies. Public and private sector representatives from all 17 sectors participate in 
the CSCSWG. 

The Process Control Systems Forum (PCSF) is one of three standing groups under 
the CSCSWG that provide monthly updates on their work so that CSCSWG mem- 
bers can benefit from or engage in activities as appropriate. The PCSF was estab- 
lished to accelerate the design, development, and deployment of more secure control 
systems. It is the Department’s primary vehicle for engaging with the private sector 
on control systems security and includes a variety of stakeholders including govern- 
ment, academia, owners and operators, systems integrators, and vendors. More than 
200 people attended the PCSF’s most recent annual meeting, at which the control 
systems stakeholder community gathered to discuss cyber security challenges and 
issues, deliver training resources, and provide technical subject matter expertise. 

PCSF’s Control Systems Cyber Security Vendors’ Forum facilitates communication 
in a trusted environment between industrial automation and equipment suppliers 
and control system service providers. The Forum consists of 50 members from 27 
domestic and international companies comprising 90 percent of the market share 
providing service to all 17 critical infrastructure sectors. Recent collaboration oc- 
curred earlier this year when members of the Vendors’ Forum worked together to 
address the potential effects on control systems caused by the date change in the 
Daylight Saving Time (DST) standard. The change in DST impacted control systems 
in more than 19 countries. The control systems community recognized the impor- 
tance of this issue and worked with the U.S. Computer Emergency Readiness Team 
(US-CERT) to develop a Technical Information Paper, “Daylight Saving Time 
Changes for 2007.” This guidance to industry on mitigation measures was 
downloaded from the US-CERT website more than 500 times between April and 
July 2007. 

DHS is also working with the Multi-State Information Sharing and Analysis Cen- 
ter (MS-ISAC), the SANS Institute, the Department of Energy Idaho National Lab- 
oratory, and representatives from government and industry on the SCADA Procure- 
ment Project. The Procurement Project seeks to develop common procurement lan- 
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guage that owners and regulators can incorporate into contracting mechanisms to 
ensure the control systems they are buying or maintaining have the hest available 
security. The long-term goal is to raise the level of control systems security through 
the application of robust procurement requirements. The Procurement Project has 
received very positive feedback from users, and the document has averaged more 
than 450 downloads per month from the MS-ISAC website where it was posted in 
January 2007. 

DHS will continue to work closely with public — and private-sector security part- 
ners through the CSCSWG and PCSF to coordinate our activities and develop a Na- 
tional Strategy to Secure Control Systems. 

Question 11.: What is being done to coordinate a standard control system 
cyber security policy across each of the 17 Sector Specific Plans (SSP) de- 
fined by DHS? 

Response: Under the National Infrastructure Protection Plan Risk Management 
Framework, all sectors must address the physical, cyber, and human elements of 
infrastructure in their preparedness and protection efforts. Securing control systems 
is part of the sectors’ efforts to secure their cyber infrastructure. In support of the 
cross-sector cyber responsibility, the National Cyber Security Division is working 
closely with the Office of Infrastructure Protection (IP), the Sector Specific Agencies 
(SSAs), and other security partners to develop guidance and approaches to reduce 
cyber risk and integrate cyber security into the critical infrastructure and key re- 
source (CI-KR) sectors’ protection and preparedness efforts. 

During the Sector-Specific Plan (SSP) development process, the Department of 
Homeland Security (DHS) provided cyber expertise to the sectors, including reviews 
of draft SSPs and participation in sector-specific cyber security meetings. Specifi- 
cally, as sectors were developing their SSPs, DHS developed and provided informa- 
tion to SSAs on resources for cyber security practices and protective programs that 
are applicable across all sectors, as well as some that are more focused on individual 
sectors, to help identify cyber security-related protective programs. For each protec- 
tive program, a brief description with the specific activities they supported within 
the preparedness spectrum was provided. DHS also developed information on cyber 
research and development (R&D) requirements and priorities to help SSAs identify 
cyber-related R&D priorities. DHS provided a description of Federal organizations 
that support cyber R&D and several references to R&D documents that outline spe- 
cific cyber security initiatives. DHS also offered to work directly with any sector 
that requested assistance and worked with responding sectors to develop and review 
cyber security content for the SSPs. These resources identified control systems cyber 
security where appropriate. 

DHS also developed a comprehensive SSP Cyber Guidance Checklist, which pro- 
vided sectors with a framework for integrating cyber security throughout each sec- 
tion of their SSPs. The checklist complemented DHS’ 2006 CI-KR Protection SSP 
Guidance developed by OIP and was intended to provide a starting point for SSAs 
as they integrated cyber into their SSPs. The checklist included an outline and guid- 
ance for the development of cyber content for the SSPs. DHS shared the checklist 
in IP-sponsored technical assistance sessions with SSAs to provide expertise and an- 
swer questions regarding the inclusion of cyber security in the SSPs. DHS personnel 
also met individually with those SSA representatives who expressed an interest in 
determining approaches for incorporating cyber security into their SSPs and sector 
risk management efforts. 

DHS will continue to work with the SSAs as the 17 CI-KR SSPs are updated in 
the future and will provide additional guidance on cyber security-related goals, secu- 
rity partners, risk assessment approaches, protective programs, R&D priorities, and 
measures. These materials will continue to include control systems security and will 
help to ensure that sectors address control systems security in a consistent manner 
across the 17 CI-KR SSPs. 

Question 12.: Are there any plans to increase the reach of the cyher secu- 
rity language in DHS 6 CFR Part 27, Section 550 for the chemical industry? 
If so what is anticipated and if not, why not? 

Response: The Department of Homeland Security (DHS) does not intend to 
change any of the regulatory language contained in the Chemical Facility Anti-Ter- 
rorism Standard (6 CFR Part 27) regarding cyber security. Section 27.230(a)(8) 
makes cyber security a performance standard for high-risk chemical facilities. DHS 
is in the process of developing guidance to help high-risk chemical facilities identify 
and implement cyber security measures that may be appropriate given their unique 
circumstances and levels of risk. This guidance document, which is currently under 
development, will provide guidance on all of the risk-based performance standards 
established in 6 CFR Part 27. Some of the cyber security areas that will be ad- 
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dressed in the guidance document include cyber security policy, access control, per- 
sonnel security, awareness and training, monitoring and incident response, disaster 
recovery and business continuity, system development and acquisition, configuration 
management, and audits. 

Question 13.: What is the DHS going to do in order to drive collahoration 
and cooperation between the public sector and private sector? 

Response: The National Infrastructure Protection Plan (NIPP) Partnership 
Framework supports the establishment and maintenance of Sector Coordinating 
Councils (SCCs) that enable private-sector owners and operators to interact on a 
wide range of sector-specific strategies, policies, activities, and issues. SCCs serve 
as principal sector policy coordination and planning entities. Sectors also rely on In- 
formation Sharing and Analysis Centers (ISACs), which provide operational and tac- 
tical capabilities for information sharing and, in some cases, support for incident re- 
sponse activities. The ISACs, as well as other information sharing mechanisms, pro- 
vide a means for the government and private sector to exchange information. In ad- 
dition to the SCCs, the NIPP Partnership Framework enables sectors to establish 
and maintain Government Coordinating Councils (GCCs) comprising representatives 
across various levels of government (i.e.. Federal, State, local, or tribal) so sector- 
specific strategies, activities, policy, and communications can be coordinated. SCCs 
and GCCs meet jointly to discuss sector activities, shape priorities for the future, 
and collaboratively develop and review critical infrastructure protection planning 
documentation. 

The Cross Sector Cyber Security Working Group (CSCSWG) facilitates collabora- 
tion and coordination between government and private sector security partners with 
cyber security expertise from each of the 17 critical infrastructure and key resource 
(CI-KR) sectors on cross-cutting cyber issues. The CSCSWG, which held its inau- 
gural meeting on May 30, 2007, meets monthly and includes more than 90 rep- 
resentatives from the SCCs and GCCs of the 17 Cl-KR sectors. 

The Department of Homeland Security coordinates efforts among government and 
private-sector members of the control systems community to improve security within 
and across all critical infrastructure sectors by reducing cyber security 
vulnerabilities. This coordination includes enhancing public-private partnerships 
through the Process Control Systems Forum and the Partnership for Critical Infra- 
structure Security, as well as using a process to formalize the sharing of sensitive 
information related to control systems vulnerabilities. 

Questions from the Honorable Paul Broun, Jr., a Representative in 
Congress from the State of Georgia 

Question 14.: How is the Department facilitating long term mitigation ef- 
forts with vendors of control systems? What sort of contact does the De- 
partment have with the manufacturers of these devices? 

Response: Assessing technologies is one of the Department’s core long-term ef- 
forts and assists in identifying vulnerabilities, developing mitigation strategies, and 
sharing information to reduce risk to the Nation’s critical infrastructure and key re- 
sources. The Department performs vulnerability assessments of selected vendor sys- 
tems to identify cyber vulnerabilities based on emerging exploitations. This effort 
is accomplished by leveraging the infrastructure and test beds of Department of En- 
ergy National Laboratories, vendor facilities, and other existing end user facilities. 

To date, the Department has completed eight control systems vulnerability assess- 
ments in cooperation with control systems vendors who provide the hardware, soft- 
ware, and training necessary to run the control system. Based largely on the results 
of these assessments, vendors have developed system patches, reconfigured system 
architectures, and built enhanced systems. The results of the vendor assessments 
have also helped inform other Federal control systems efforts, such as developing 
a self assessment tool for industry owners and operators to further reduce cyber risk 
associated with control systems. In addition, the Department has provided owners 
and operators with strategies for mitigating existing system security risks. 

The Department sponsors the Process Control Systems Forum (PCSF), a public- 
private partnership which leverages the experience, capabilities, and contributions 
of international stakeholders from government; academia; industry users, owner/op- 
erators, and systems integrators; and the vendor community through meetings and 
working groups to develop and adopt common architectures, protocols, and practices. 
The PCSF’s Control Systems Cyber Security Vendors’ Forum facilitates communica- 
tion in a trusted environment between industrial automation and equipment sup- 
pliers and control system service providers. The Vendors’ Forum comprises 50 active 
members from 27 global manufacturers representing 90 percent of the control sys- 
tems marketplace. 
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Question from the Honorable James R. Langevin, Chairman, Subcommittee 
ON Emerging Threats, Cybersecurity and Science 

Response from Joseph McClelland 

Question 1.: It is my understanding that many security managers in the industry 
were interested in submitting comments to the FERC rulemaking on critical infra- 
structure protection, but felt that they could not do so for fear of retribution by their 
own management. Is this a problem, and if so, what is FERC doing to allow 
for anonymous comments for future rulemakings? 

Response: In a rulemaking proceeding, the Commission’s ex parte rules do not 
apply. Thus, a person wishing to remain anon3Tnous could informally talk to Com- 
mission staff about his or her concerns without having to formally intervene and 
identify his or her name. Staff could pursue the concerns raised to the extent war- 
ranted. However, the Commission’s Rules of Procedure require that a filing sub- 
mitted to the Commission identify the name of the person making the filing. I be- 
lieve that is appropriate as the public process of a rulemaking should include the 
willingness of formal commenters to identify their name in their comments. 

Questions from the Honorable Michael T. McCaul, Ranking Member, 
Subcommittee on Emerging Threats, Cybersecurity , and Science 

Question 2.: Why does the Notice of Proposed Rulemaking posted by 
NERC ignore for now the major infrastructure dependencies on the bulk 
power system? Should not every responsible entity be held to the same 
standards for securing critical assets? 

Response: Section 215 of the Federal Power Act (FPA) authorizes the Commis- 
sion to approve reliability standards that “provide for the reliable operation of the 
bulk power system,” which the statute defines as the facilities and control systems 
necessary for operation of an interconnected electric energy transmission network 
and the electric energy need to maintain transmission system reliability. The Com- 
mission’s authority under FPA section 215 does not extend to other infrastructure 
such as natural gas pipelines, oil pipelines, or railways, although such infrastruc- 
ture can have a significant impact on the bulk power system. 

Question 3.: As director of reliability do you support strengthening secu- 
rity and the SCADA control systems? With regard to the comments that 
FERC has received thus far on the CIP standards how do you see the regu- 
lations being promulgated? 

Response: Yes, I do support strengthening security and control systems. Histori- 
cally, control systems have been built with a focus on operations, with little or no 
focus on security, as many infrastructures have not been viewed as targets in the 
past. At the same time, these control systems are migrating towards the standard 
IT platforms and internet communications, making them even more vulnerable to 
attack by increasing the connectivity to the outside world. Pursuant to its authority 
and responsibilities, the Commission is in the process of analyzing public comments 
and evaluating the Notice of Proposed Rulemaking (NOPR) in light of those com- 
ments. The comments of the House Subcommittee on Emerging Threats, Cybersecu- 
rity and Science and Technology are among those being considered. The NOPR pro- 
posed dozens of significant modifications to the CIP standards to make them strong- 
er and more effective, thereby increasing security of SCADA control systems. They 
addressed, among other things, increased oversight of the implementation of the 
CIP standards, controls on the discretion exercised by responsible entities, and in- 
creased penalty levels for failure to comply with the CIP standards. I can assure 
you that the final rule will be based on a careful consideration of all comments sub- 
mitted. 

Question 4: Please describe what authority FERC currently has in the 
area of cyber security. Do you think the Commission should have the au- 
thority to modify a NERC standard? 

Response: Pursuant to section 215(d) of the FPA, the Commission is authorized 
to approve a reliability standard developed by the North American Electric Reli- 
ability Corporation or NERC, the Commission-certified electric reliability organiza- 
tion. Section 215 of the FPA defines “reliability standard” to include “requirements 
for the operation of existing bulk-power system facilities, including cybersecurity 
protection. . .” Thus, section 215 explicitly allows for the development of reliability 
standards that relate to cyber security. Pursuant to section 215(d)(3) of the FPA, 
the Commission has authority to order compliance with a reliability standard and 
may impose penalties for non-compliance. 
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As you are aware, NERC submitted to the Commission eight proposed reliability 
standards, referred to as the “CIP” standards, which would require certain users, 
owners and operators of the nation’s bulk power system to comply with specific re- 
quirements to safeguard critical cyber assets. In July 2007, the Commission issued 
a notice of proposed rulemaking that proposes to approve the proposed CIP stand- 
ards. The NOPR also proposes to direct NERC to develop modifications to the pro- 
posed reliability standards to address specific concerns identified by the Commis- 
sion. The Commission received public comment on the NOPR in October 2007 and 
intends to issue a final rule in a timely manner. 

If the Commission, in the final rule, approves the reliahility standards as pro- 
posed in the NOPR, they will become mandatory and enforceable. The Commission 
would then have authority to order compliance with the CIP standards and impose 
penalties for non-compliance with the cyher security requirements. It is important 
to understand that NERC has proposed an implementation plan that would require 
that entities begin compliance no earlier than mid-2009, with full compliance being 
achieved by the end of 2010. NERC represents that the long lead time is necessary 
to achieve compliance with many of the requirements of the proposed reliability 
standards; the NOPR proposed to approve NERC’s implementation plan. 

You also ask whether the Commission should have the authority to modify a 
NERC reliahility standard. Section 215(d) of the FPA provides that the electric reli- 
ability organization, NERC, will develop proposed reliability standards and submit 
the standards to the Commission. The Commission has the options of approving or 
remanding a reliability standard. The Commission, however, does not have author- 
ity to develop a reliability standard on its own. Likewise, while section 215(d)(5) of 
the FPA authorizes the Commission to order the electric reliability organization to 
submit to the Commission a new or modified reliability standard to address a spe- 
cific matter, the Commission does not have authority to independently authorize or 
modify a standard. While this is a significant limitation of the use of the section 
215 process. The Commission has not yet reached the conclusion that legislation is 
needed at this time. 

Question 5.: How will you oversee and ensure the security process goes 
forward? How will you work with the industry to ensure that security risks 
are addressed? 

Response Once Commission-approved CIP standards are in place. Commission 
staff will participate in the audit of entities to determine the security posture of the 
industry. Commission staff also will work with NERC to continue to improve the 
CIP standards, requiring modifications to existing standards and new standards as 
appropriate. In addition, we will monitor and evaluate the number and types of as- 
sets that are being protected as critical assets. We will closely follow the standard 
development efforts that NIST and ISA are leading. In addition, the Commission 
proposed in the NOPR to require NERC to seek and consider comments from federal 
entities, such as Tennessee Valley Authority, that are subject to both the NIST 
standards and CIP standards to assist NERC in determining which elements of the 
NIST standards may he more advantageous to protect the Bulk Power System so 
that NERC may consider including such provisions into the CIP standards. 

Question 6.: Does the Commission have enough resources to promote reli- 
ahility and protection from cyhersecurity threats? 

Response: Based on our workload projections, the Commission is seeking to add 
more engineers and personnel with hulk power system experience, including cyber 
security and control system expertise. Thus, in June 2007, Chairman Kelliher wrote 
to the Chairmen and Ranking Members of the House and Senate Appropriations 
Committees, seeking an additional $9 million for our reliahility work in fiscal year 
2008. This would provide for an additional 55 Full-Time Equivalents (FTEs) to sup- 
port the Commission’s reliability program. These FTEs would consist primarily of 
electrical engineers, power system experts, auditors and lawyers. The Commission’s 
Chairman also asked for authorization to hire electrical engineers non-competitively 
up to the GS-15 level, and to hire six additional executive senior level (SL) staff 
in support of its reliability program. As you may know, the Commission is a self- 
supporting agency and would recover the additional appropriations through fees and 
annual charges, as it does all of its costs, and will operate at no net cost to the teix- 
payer. I encourage you to support these requests hy the Commission. 

Question 7.: NERC said there has been 100% compliance with its action 
alert on cybersecurity. Does the Commission agree? 

Response: The Commission has no information on whether there has been 100% 
compliance with NERC’s action alert. To determine the level of compliance and the 
effectiveness of such compliance, the Commission intends to issue an order directing 
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submission of certain cyber security information from each generator owner and op- 
erator and transmission owner and operator in the United States registered by 
NERC. As a first step toward that end, the Commission, in an October 23, 2007 let- 
ter, informed the Office of Management and Budget (0MB) of the Commission’s in- 
tended action, and requested OMB’s emergency approval of the Commission’s infor- 
mation collection request. This emergency approval, if granted, would expedite the 
0MB approval process, which in ordinary circumstances allows a sixty-day comment 
period on the proposed information collection before 0MB approval. 0MB has not 
acted on the Commission’s request at this time. 

NERC, following the Subcommittee’s October 17, 2007 hearing, issued a survey 
regarding mitigation efforts, with responses due on November 2, 2007. Although we 
support NERC taking the actions it believes are necessary as ES-ISAC, we do not 
believe NERC’s survey provides sufficient information for the Commission to deter- 
mine whether further action is appropriate. For example, it does not provide infor- 
mation on what facilities are the subject of the mitigation plans, what steps to miti- 
gate the cyber vulnerability are being taken, when those steps are planned to be 
taken, and, if certain actions are not being taken, why not. Nor is it clear that 
NERC has received a complete set of responses to its data request. Thus, it is im- 
portant for the Commission to issue an order seeking information that would sup- 
plement NERC’s action and provide more detailed information on which to assess 
the status of mitigation efforts. 

If the 0MB authorizes the Commission to collect this information, the Commis- 
sion intends to issue the order and direct the submission of this information to 
NERC. Following Commission review of the information, the Commission will deter- 
mine whether further action is necessary or appropriate. For example, the Commis- 
sion may consider adopting an order that requires, pursuant to section 215 of the 
ERA, the expedited development of a reliability standard to ensure that mitigation 
measures are promptly and effectively implemented. However, Commission review 
of this information may also indicate that no further action is necessary or appro- 
priate. 

Question 8.: How will FERC ensure the implementation of higher stand- 
ards for cyber security? Will you investigate the mitigation efforts per- 
formed by owners and operators of the Aurora issue? 

Response: Please see responses to questions 5 and 7. 

Questions from the Honorable Paul Broun, Jr., a Representative in 
Congress from the State of Georgia 

Question 9.: Please describe what authority FERC currently has in the 
area of cyber security. Do you think the Commission should have the au- 
thority to modify a NERC standard? How will you oversee and ensure the 
security process goes forward? How will you work with the industry to en- 
sure that security risks are addressed? Does the Commission have enough 
resources to promote reliability and protection from cybersecurity threats? 

Response: Please see responses to questions 4, 5 and 7. 

Question 10.: Can you describe the role that FERC is taking while work- 
ing with the Department of Energy and the Department of Homeland Secu- 
rity? 

Response: The Commission has been collaborating with both DHS and DOE as 
required by Homeland Security Presidential Directive/Hspd-7 (Critical Infrastruc- 
ture Identification, Prioritization, and Protection) that established DHS as the lead 
in protecting the critical infrastructure of the United States and DOE as the Sector 
Specific Agency for electric power. In this regard, Commission staff have supported 
and participated in DOE and DHS security initiatives. For example, we participated 
in the DOE-led effort that produced the Roadmap to Secure Control Systems in the 
Energy Sector. We also participate in the electric sector Government Coordinating 
Council co-chaired by DOE and DHS personnel. We supported and participated in 
the efforts that developed the National Infrastructure Protection Plan and the Elec- 
tric Sector Specific Plan. With DOE’s cooperation, we have utilized the expertise 
found in the national laboratories to better understand control system cyber 
vulnerabilities. Commission staff participated in an interagency team, which in- 
cluded DHS and DOE, formed to address the Aurora vulnerability. Currently, we 
continue to cooperate with DOE and DHS and share information concerning threats. 
As the only agency with authority to approve mandatory reliability standards re- 
garding the nation’s electric grid, the Commission can direct the ERO to develop 
any needed standard in an expedited timeframe. 
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Question from the Honorable Michael T. McCaul, Ranking Member, Sub- 
committee ON Emerging Threats, Cybersecurity, and Science and Tech- 
nology 


Responses from Joe Weiss 

Question 1.: What are the principal differences between the ISA 99 stand- 
ards and the NIST best practices found in Special Publication 800-53? 

Response: Although the developmental processes were different for NIST 800- 
53 and the ISA 99 standards, the results are harmonious. There has been a signifi- 
cant amount of cross-pollination of people between the NIST and ISA standards 
which will provide for a seamless transition between the standards. Both ISA and 
NIST address multiple industries and have similar content in those areas where the 
development is essentially complete. It should be noted that neither ISA nor NIST 
include the exceptions and exclusions found in the NERC CIP cyber security stand- 
ards. Specifically, NIST SP 800-53 security controls address the management, oper- 
ational, and technical safeguards, countermeasures, and/or compensating measures 
prescribed for an information system to protect the confidentiality, integrity, and 
availability of the system and its information. ISA 99 Part 2 covers the management 
and operational requirements. NIST will be performing a mapping between ISA 99 
Part 2 and the NIST SP 800-53 management and operational security controls. ISA 
99 Part 4 will cover the technical requirements. NIST has provided SP 800-53 to 
the ISA 99 Part 4 Working Group for consideration in the development of the Part 
4 standard. No significant differences are expected. 

Question from the Honorable Paul C. Broun, a Representative in Congress 
FROM THE State of Georgia 

Question 2.: What, in your opinion, is the most egregious element of the 
NERC CIP standards? If they had to change one particular element to be 
in line with your recommendations, what would it be?3 

The most egregious element of the NERC CIP standards is the scope, particularly 
the limitations and vagueness in NERC CIP-002. To be in line with my rec- 
ommendations, there would need to be two changes. The first change would be to 
eliminate the exclusions of telecom, market functions, electric distribution, non- 
routable protocols, and nuclear power plants. The systems and protocols that have 
been excluded by the NERC CIP process have vulnerabilities that could affect the 
reliability of the electric grid. The second change would be to require all systems 
that are electronically connected (e.g., digital or analog connection of information or 
control systems) to be considered critical. These changes would result in the utilities 
addressing all systems throughout the enterprise that could be pathways into or out 
of the control system networks. These changes are consistent with what is required 
for securing business Information Technology applications and would make the 
NERC CIPs more consistent with the NIST framework. 

Question from the Honorable Bennie G. Thompson, Committeee on Homeland 

Security 

Response from David A. Whiteley 
Amended December 12, 2007 

Question 1.: What were the results of the August 2007 NERC survey sent 
to owners and operators regarding the status of the sector’s implementa- 
tion of the Aurora mitigation efforts? Please provide the Committee with 
a copy of the survey and a narrative of the results. 

Response: Survey responses were received from 133 entities. The respondents in- 
cluded generating plant owners, generating plant operators, transmission owners, 
transmission operators, and load-serving entities. The respondents ranged from very 
large, multistate investor-owned utilities to small municipal utilities. Responses 
were received from all eight reliability regions. 

The results of the survey indicate 94% of the mitigation measures recommended 
in the June 21 ES-ISAC advisory are completed or are in progress. This 94% con- 
sists of 60% completed and 34% in progress. The remaining 6% are not being per- 
formed for a variety of reasons (not applicable due to nature of equipment, being 
done by another entity, could compromise reliability rather than help reliability). 

The respondents indicated they are taking a prioritized approach to the mitigation 
measures in applying them to their facilities. All respondents with nuclear facilities 
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indicated they have completed the mitigation measures associated with those facili- 
ties and are working on other, smaller facilities on a prioritized basis. 

A copy of survey is enclosed. ^ 

Question 2.: If a cyber exploit of the Aurora vulnerability is imminent, 
how will the Electric Sector ISAC ensure the immediate implementation of 
mitigation efforts? 

Response: The Electricity Sector (ES) ISAC would initiate the following notifica- 
tion steps: 

• Obtain approval from the Electricity Sector Coordinating Council to escalate 
the Cyber Threat Alert Level to Red. 

• Post the escalated level on the ES-ISAC Web site. 

• Send e-mail notifications to the electric industry through distribution lists de- 
signed for notification purposes. The NERC regional entities, the reliability co- 
ordinators, and all Independent System Operators (ISOs) and Regional Trans- 
mission Organizations (RTOs) are included on the lists. Also included on the 
lists are government agencies (NRC, DOE, DHS, FERC, Public Safety Canada), 
other critical infrastructure sector ISACs, and industry trade associations. 

• The notification would recommend that the industry promptly complete the 
immediate mitigation measures identified in the ES-ISAC Advisory. In the case 
of the June 21, 2007 ES-ISAC Advisory, those mitigation measures included: 

1. Robust cyber access mechanisms 

2. Disable remote configuration change capability 

3. Disable automatic re-close function 

4. Add time delay to close function 

5. Disable remote close function 

Following notification to the industry, the ES-ISAC would follow-up to monitor 
progress in implementing the immediate measures. The progress would be tabulated 
and reported to appropriate government agencies. 

Question 3.: One of the NERC standards requires an entity to identify its 
“critical assets” and “critical cyber assets,” with the goal of ensuring that 
these assets are adequately protected from any potential cyber incident. 
Under the NERC definition, would the assets at issue in the Aurora vulner- 
ability be considered “critical assets”? 

Response: Critical assets determined using the methodology from NERC stand- 
ard CIP-002-1 would include generation assets which are subject to the Aurora vul- 
nerability. These typically will be large generators and “blackstart” generators (i.e., 
those generators used to restart the bulk power system following a large blackout). 
However, not all generators are essential to the reliable operation of the bulk elec- 
tric system, and therefore would not be included on a list of critical assets. 

Question 4.: Are the NERC CIP standards consistent with the lessons 
learned document issued after the August 2003 blackout? 

Response: Yes. The NERC CIP Standards are consistent with the recommenda- 
tions in the August 2003 blackout report. There were 13 recommendations (R32 
through R44) in the “physical and cyber security” section of the recommendations 
list in the blackout report. Of these, all of the recommendations that could properly 
be addressed through Reliability Standards are addressed by requirements of the 
CIP standards, as shown in the table below. Recommendation 36 is not a standards 
issue, and recommendations 37 and 39 will require research before standards can 
be written to fully address the recommendation. 


Recommendation 

Relevant CIP Standard 

32 — Implement NERC II Standards 

CIP 002-009 

33 — II Management Procedures 

CIP 003, 007 

34 — Corporate level II Governance 

CIP 003 

35 — Manage II System Monitoring 

CIP 005, 007, 008, 009 


1 See to committee file. 

1 Final Report on the August 14, 2003 “Blackout in the United States and Canada: Causes 
and Recommendations”, U.S. -Canada Power System Outage Task Force, April 5, 2004. The rec- 
ommendations regarding physical and cyber security appear at pages 163-169 of the Report, 
which is available at: http: / 1 www.oe.energy.gov I DocumentsandMedia I BlackoutFinal-Web.pdf 
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Recommendation 

Relevant CIP Standard 

36 — US-Canada Risk Management Study 

Government Study recommendation 

37 — IT Forensics and Diagnostics 

CIP 004, 009 Research recommendation 

38 — Assess Risk and Vulnerabiiity 

CIP 002, 005, 007 

39 — Wireless and Remote Intrusion 

CIP 005, Research recommendation 

40 — Control Access 

CIP 006 

41 — Guidance for Background Checks 

CIP 004 

42— Confirm Role of NERC ES-ISAC 

CIP 008 

43 — Esfablish Clear Authorify 

CIP 003 

44 — Prevenf Informafion Disclosure 

CIP 003 


Not all the recommendations in the report address topics that are relevant to 
NERC standards development. Recommendation R36 deals with an intergovern- 
mental action (initiation of a U.S.-Canada risk management study), not a perform- 
ance standard requirement appropriate for incorporation into a Reliability Standard. 
Recommendation R41 is addressed in CIP 004, although there are significant legal 
and jurisdictional issues contained in its implementation that would need to be re- 
solved outside the standards development process. The subject matter of that rec- 
ommendation, moreover, is addressed by an existing NERC security guideline 
(scheduled for update in 2008). Recommendation R42 (confirmation of NERC ES- 
ISAC as the central point for sharing security information and analysis) is ad- 
dressed in CIP 008. The recommendation also has been addressed outside NERC’s 
standards process through the use of an incident reporting guideline. The guideline 
approach is better suited for this issue due to the frequent change in reporting pro- 
cedures and protocols. 

Question 5.: Do you agree with your NERC colleague Stan Johnson, who 
stated that this test “is not a realistic representation of how the power sys- 
tem would operate”? 

Response: Yes. The test completed at Idaho National Lab (INL) and depicted in 
the video was a 30-second edited version of over three minutes of actual test. The 
generator in the test was a stand-alone diesel generator rated at 3.5 MW. While it 
is true that generators like the one in the test are connected to the grid in North 
America, they are not the backbone of the system and represent a very small por- 
tion of the total generating resources available. The true backbone of the system is 
large generators rated at 300 to 1,100 MW. These large generating units have more 
sophisticated protection systems that would most likely isolate the generators from 
the attack long before the effects (black smoke, repetitive shaking, parts falling off) 
shown in the video. The test at INL was conducted with the power system in an 
optimal configuration for an attacker to be successful. In the real power system, the 
power flows in a highly complex network make a successful attack much more dif- 
ficult. The power flows on the network vary from day to day depending on what 
equipment is in-service or out-of-service. The direction and magnitude of the flows 
would have to be understood and taken advantage of by the attacker. While the test 
at INL helped demonstrate the feasibility of a cyber attack resulting in physical 
damage, a more comprehensive test would be very difficult, if not impossible to con- 
duct. 

Question 6.: Can NERC effectively conduct oversight over electric sector 
owners and operators, considering that NERC operates under dues re- 
ceived by these same companies? 

Response: Yes. NERC does not operate under a system of dues, which suggests 
an element of voluntariness in the payments. Rather, Section 215 of the Federal 
Power Act, the regulations of the Federal Energy Regulatory Commission, and 
NERC’s bylaws and rules were specifically written to preclude undue influence by 
electricity sector stakeholders. Within the United States, NERC is funded through 
assessments to load serving entities that are approved annually by FERC. Once ap- 
proved, those assessments constitute a legally binding obligation to pay that is en- 
forceable, ultimately, through federal law. FERC also approves NERCi’s budget each 
year, which specifies how funds raised by assessment will be used for NERC’s var- 
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ious responsibilities, including enforcement. While electric sector owners and opera- 
tors, along with all other electricity sector stakeholders, have the opportunity to ex- 
press their views about NERC’s annual budget and assessment, electricity sector 
stakeholders do not have decisional authority over NERC’s budget or assessments. 
NERC’s annual budget and assessments are approved, in the first instance, by 
NERC’s independent board of trustees, and thereafter by FERC. 

Question 7.: In his testimony, Mr. Weiss recommends that NERC incor- 
porate the NIST Framework into its CIP standards. My understanding is 
that the NIST Framework is still a work in progress that is still subject to 
further amendment, and that it is intended to serve as model guidelines for 
federal government agencies, not mandatory standards applicahle to the 
private sector with enforcement and penalty provisions. If this is true, please 
comment on whether the NIST Framework is actually an appropriate model for elec- 
tric industry CIP standards that are required under the Federal Power Act (as 
amended by the Energy Policy Act of 2005) to be mandatory and enforceable? Please 
also comment on other reasons why the NIST Framework may not be an appro- 
priate model for the NERC standards, including the lack of a formal stakeholder 
process required by Sec. 215 of the Federal Power Act, enacted by Congress in 2005 
to govern the development of the NERC CIP standards. 

Response: The NIST Eramework^ consists of a number of documents, including 
Eederal Information Processing Standards (FIPS) 199 and 200 (standards) and 
NIST Special Publications (SP) 800-60, 800-53, 800-30, 800-18, 800-53A, and 800- 
37 (guidance and recommendations). As with other NIST SP800 documents, NIST 
SP800-53, Recommended Security Controls for Federal Information Systems, is self- 
described as “guidance documents and recommendations”^ to be used in support of 
federal agencies’ compliance activities with the mandatory Federal Information 
Processing Standards (FIPS) that implement the Federal Information Security Man- 
agement Act (FISMA) of 2002. 

The NIST guidance, as it exists in its approved format, was developed in support 
of FISMA for conventional IT security issues relating to conventional IT use of com- 
puters — the approved NIST guidance was not developed for industrial control sys- 
tems. NIST is developing revised guidance for applicability to industrial control sys- 
tems (ICS), but that has not been finalized. The revised guidance is in its ‘final’ pub- 
lic draft, with comments on the draft due on December 14, 2007. NIST plans on 
publishing the fully revised document within two weeks of the close of the comment 
period. As such, the revised ICS guidance does not yet formally exist, and therefore, 
could not today be included in any NERC CIP standards. 

One major issue with the application of the NIST standards and guidance to the 
private sector deals with the assessment of impact, based on a significantly broader 
scope than the specific focus of the NERC Standards on the reliable operation of 
the bulk power system. The NIST standards and guidance process requires that all 
computer-based processes be considered, even those that have no bearing on reliable 
operations (and which are outside the scope of Section 215 of the FPA), including 
administrative functions and market functions. While these may have bearing on 
the business processes of the effected entities, they cannot be made mandatory 
under the auspices of reliability standards within the scope of Section 215. 

Another issue with the application of the NIST standards and guidance is the 
level of technical detail included in the guidance, much of which does not directly 
relate to bulk power system reliability. The FIPS-199 concept of a “high water 
mark” for security classification requires, for example, that if any one component 
of a system requires a medium or high level of confidentiality, all components of 
that system must be implemented with a high confidentiality without regard to the 
resultant impact to operations, even if that result were detrimental to reliable oper- 
ations. This will result in significantly more work required to achieve and maintain 
compliance with the standards, without any reliability-based benefit. 

While there is a formal approval process for NIST standards, which require the 
approval of the Secretary of Commerce, there does not appear to be any formal doc- 
umented process for creating, revising or approving NIST guidance. Further, the 
NIST (FIPS) standards allow the inclusion by reference of other documents ie.g., 
SP800-53). These referenced documents do not have the same level of approval re- 
quired as the formal text of the standards. 


^See document references available from http: I lwww.csrc.tiist.gov I groups ! SMA! fisma! 
framework.html. 

3NIST Special Publication 800-53 rev 1, page iv, available at http:! I www.csrc.nist.gov ! publi- 
cations ! nistpubs ! 800-53-Rev 1 1 800-53-revl-final-clean-sz.pdf. 
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In contrast, Section 215 of the FPA requires that “reasonable notice and oppor- 
tunity for public comment, due process, openness, and balance of interests in devel- 
oping reliability standards” be provided by the Electric Reliability Organization cer- 
tified by FERC {i.e., NERC) in developing Reliability Standards. These requirements 
are incorporated in FERC’s rules for certification of the ERO, and in the NERC 
rules of procedure as approved by FERC. The NERC process requires that “[a]ll 
mandatory requirements of a reliability standard shall be within an element of the 
standard,”"* thereby ensuring that all mandatory and enforceable standards follow 
the same rigorous review and approval process approved by FERC as consistent 
with the statutory requirements. The NERC process allows the development of guid- 
ance, but cannot make those documents binding as mandatory and enforceable 
standards. 

Question 8.: Concerns have been raised regarding the potential that one or more 
isolated cyber failures or attacks to electric distribution system assets could directly 
lead to more widespread failures or electric outages in the bulk power system. 
Please explain if the standard radial design of electrie distribution systems 
makes such a scenario unlikely, and if it in fact enhances the ability of 
electric utilities to isolate the impact of such events. 

Response: The distribution system is primarily a point-to-point system, with 
lines emanating in a radial pattern, from the local substation to the consumer. 
When a distribution line is taken out of service by a falling tree in an ice storm, 
for example, electricity no longer flows on that spoke and the consumers’ lights go 
out. However, the problem is limited and localized. That is the nature of the dis- 
tribution system — it is local and affects a limited area. 

One or more isolated cyber attacks or failures on the distribution system will have 
a localized and limited effect. In addition, the isolation and protection requirements 
of the NERC CIP standards protect the bulk power system from intrusion reaching 
through the distribution system to bulk power system assets. For one or more iso- 
lated cyber failures or attacks to impact the bulk power system would require a very 
complex, coordinated, synchronized action. It would require a knowledgeable and de- 
termined attacker to exploit a vulnerability. While technically feasible, the likeli- 
hood is low of such a scenario successfully occurring. 

Question 9.: My understanding is that the current ISA security standards and 
technical reports that Mr. Weiss recommends for incorporation in the NERC CIP 
standards are intended to be used as guidance, not to establish expectations for 
auditable compliance, and there are no measures or levels of noncompliance cur- 
rently associated with ISA99. Levels of noncompliance would need to be created and 
approved before the standards could be used as mandatory and enforceable. Do you 
think that such measures could be developed, if such measures are even 
possible, and how much time would it take to develop those measures? 

Response: Much like the status of the NIST guidance for industrial control sys- 
tems, the ISA standards are still a work in progress. To date, only two “technical 
reports” which do not contain any requirements {i.e., they are “informative” and not 
“normative” in nature) have been approved. Because these approved documents do 
not contain any “normative” requirements, quantifiable measures cannot be devel- 
oped for them. The ISA standards themselves are being developed in at least four 
parts (or volumes), and of the four publicly documented parts, one deals with estab- 
lishing terminology, concepts and models, and two deal with the establishment and 
operations of a security program. Only the fourth part deals with “Specific Security 
Requirements for Industrial Automation and Control Systems.” 

This fourth part has just been started, so it is impossible to determine how meas- 
ures, levels of noncompliance, or violation risk factors (all of which are required ele- 
ments of NERC standards, and are required for the compliance program activities) 
could be developed for any explicit requirements contained in that standard. It is 
unknown how long the process to develop those measures would require. 

Question 10.: Appendix F of the NIST 800-53 standards lists at least 25 in- 
stances where an exception to compliance for Industrial Control Systems 
(ICS) may be taken when “the organization determines it is not feasible or 
advisable (e.g., adversely impacting performance, safety, reliability)”. FERC 
has indicated that exemptions under “technically feasible” should be as 
limited as possible, yet it appears that incorporation of the NIST standards 
would allow for a very broad exemption under technical feasibility. Can 
you comment on this? 


"*NERC Reliability Standards Development Procedure, Version 6.1, available at ftp:!! 
ftp.tierc.com ! puh ! sys ! all updl/oc/stp/RSDP ^V6 1 12Mar07.pdf. 
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Response: The NIST standards do not meet the Commission’s expectations. 

Question 11.: What would be the result if the eleetric industry was forced 
to implement the NIST best practices for control systems based upon SP 
800-53? 

Response: Any change now in cybersecurity requirements for the bulk power sys- 
tem would significantly retard progress toward more robust cybersecurity protec- 
tions. 

A requirement to adopt NIST “best practices” now would result in a suspension 
of the current efforts to implement the proposed NERC cybersecurity standards 
pending a review of the NIST standards. The result of the review would require new 
implementation plans and additional time. 

The loss of industry compliance momentum and the delay in implementing man- 
datory bulk power system cybersecurity standards would be detrimental to the reli- 
ability of the bulk power system. 

Question 12.: Arc owners and operators of distribution facilities included 
within the NERC membership? If so, regardless of the authority extended 
in the Energy Policy Act, doesn’t it make sense that distribution facilities 
be included in reliability considerations? 

Response: Within the United States there are approximately 3,000 entities that 
own or operate distribution facilities. Approximately 375 of those entities are NERC 
members. NERC’s authority to set and enforce reliability standards is not contin- 
gent on NERC membership, but extends to owners, operators and users of the bulk 
power system, whether or not they are a member of NERC. NERC can and does 
take account of the impact of distribution facilities on the reliability of the bulk 
power system. NERC can exercise jurisdiction over owners, operators, and users of 
the bulk power system. 

Question 13.: How docs NERC ensure that its members are making efforts 
to mitigate the Aurora vulnerability that we know exists within control 
systems? 

Response: The Electricity Sector Information Sharing and Analysis Center (ES- 
ISAC) has been operated by NERC since it was formed in 2001. The ES-ISAC was 
created as a result of action by the U.S. Department of Energy in response to Presi- 
dential Decision Directive 63 issued in 1998. The ES-ISAC is working with the elec- 
tricity sector entities to mitigate the vulnerabilities in the system by providing infor- 
mation about the vulnerability, recommending mitigation measures, and following 
up to monitor successful completion. 

The ES-ISAC has worked closely with all segments and all levels in the industry 
to mitigate the vulnerabilities. Meetings have been held with representatives of all 
the major trade associations (EEI, APPA, NRECA), the CEOs of the largest compa- 
nies, the Electricity Sector Coordinating Council, numerous operating level commit- 
tees, and groups of technical experts. 

Because the steps needed to mitigate the Aurora vulnerability are not reflected 
in approved reliability standards, NERC has no authority to compel those actions. 
Not all subjects are the appropriate topic for standards. The standards development 
process is by design a public and transparent one, and matters such as the Aurora 
vulnerability do not lend themselves to that public process. However, NERC believes 
the industry is demonstrating excellent judgment and cooperation in completing the 
implementation of the mitigation measures. 

Question 14.: In your testimony you mention that NERC as the Electric Reli- 
ability Organization (ERO) was not given authority over facilities used for distribu- 
tion of electric power. Who has authority to enforce regulations over such fa- 
cilities? 

Response: NERC as the electric reliability organization only has enforcement au- 
thority over the bulk power system. The definition of “bulk power system” in Section 
215(a)(1) of the Federal Power Act expressly excludes facilities used for local dis- 
tribution. Authority over facilities used for local distribution is generally reserved 
to the states, and the scope of that authority varies from state to state. State public 
utility commissions exercise such authority to the extent the utilities are within 
their jurisdiction. In a number of states, municipal utilities are not within the juris- 
diction of state commissions. 

Question 15.: NERC has proposed its own set of cyhersecurity stand- 
ards — will these standards make a difference, i.e. will they make us safer 
than we are today without these standards? Will there be more to do after 
these standards are accepted by FERC in their current form? 
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Response: The answer to both these questions is “yes.” These standards rep- 
resent a first step in a process of continually increasing the cybersecurity of the elec- 
tricity industry. While some companies already meet or exceed the requirements of 
these standards, the vast majority of the industry is working very hard right now 
to meet both the letter and intent of the standards as they are written (and ex- 
pected to be approved by FERC). Essentially every company has had to do some 
work in order to meet either the technical requirements, or provide sufficient docu- 
mentation to prove during an audit that they have met the requirements. Many 
companies are analyzing their systems, and implementing policy-based and tech- 
nical controls to significantly increase the cyber security posture, especially at their 
substations and power plants. 

Since these standards represent a first step, there will be additional steps. Mak- 
ing the modifications proposed by FERC in the pending NOPR to approve the NERC 
Reliability Standards will be among the additional steps to be taken in this area. 
As the industry gains experience and confidence in implementing cybersecurity pro- 
tections, and as the vendors of control systems begin to implement increased cyber- 
security protections into their systems, the cybersecurity posture of the industry will 
increase, and additional standards can be written to ensure that all industry partici- 
pants are continuing to “raise the bar” in their cybersecurity protections. NERC’s 
rules, and a condition of accreditation by the American National Standards Insti- 
tute, require that each standard be reviewed at least every five years. NERC antici- 
pates completing the review and upgrade of all standards over a three-year period. 
The cybersecurity standards are scheduled for review in 2009 to asses them based 
on lessons learned to that point. NERC’s standards development procedure provides 
a systematic approach to improving to the standards and documenting the basis for 
those improvements, and should serve as the mechanism for achieving those im- 
provements. 

The future revisions to the NERC cyber security standards will take place after 
the NIST guidance on security to Industrial Control Systems has been finalized, and 
it is likely that some of the recommendations in that guidance will be included in 
revised Reliability Standards. These recommendations will be analyzed and included 
(or not) based on their impact on the reliable operation of the bulk power system. 

Question 16.: You mentioned in your testimony that the CIP standards were de- 
veloped in a rigorous process. How does NERC plan on operating if and when 
it must develop security standards much quicker than the rigorous stand- 
ard process allows? Are there any contingency plans in place for when im- 
mediate action is necessary? 

Response: NERC operates according to its Rules of Procedure that have been ap- 
proved by the Federal Energy Regulatory Commission. Section 300 of the Rules of 
Procedure discusses the reliability standards development processes. Rule 308 ac- 
knowledges that the current Reliability Standards Development Procedure (Version 
6.1) includes a provision for approval of urgent action standards that can be com- 
pleted within 60 days and emergency actions that may be further expedited. Fur- 
ther, Rule 309.3, Directives to Develop Standards Under Extraordinary Cir- 
cumstances, stipulates the urgent approval action procedure may be utilized if nec- 
essary to meet a timetable for action required by governmental authorities or cir- 
cumstances, respecting to the extent possible the provisions in the standards devel- 
opment process for reasonable notice and opportunity for public comment, due proc- 
ess, openness, and a balance of interests in developing reliability standards. After 
making a written finding that an extraordinary and immediate threat exists to bulk 
power system reliability or national security, the NERC independent Board of 
Trustees has discretion to substantially reduce the public notice and balloting peri- 
ods, thus expediting the development timeframe. 

When standards are implemented using the urgent action or emergency process, 
one of the following three actions must occur: 

— If the urgent or emergency action standard is to be made permanent without 
substantive changes, then the standard must proceed through the regular 
standards development process within one year of the urgent or emergency ac- 
tion approval. 

— If the urgent or emergency action standard is to be substantively revised or 
replaced by a new standard, then a request for the new or revised standard 
must be initiated as soon as practical after the urgent or emergency action bal- 
lot, and the standard must proceed through the regular standards development 
process as soon as practical within two years of the urgent or emergency action 
approval. 

— The urgent or emergency action standard may be withdrawn through the reg- 
ular standards development process within two years. 
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To address immediate threats, NERC can issue an “Essential Action” alert as pro- 
posed and currently pending before EERC in Rule 808.10 of NERC’s Rules of Proce- 
dure. An “Essential Action” alert identifies specific actions that NERC has deter- 
mined are essential for certain segments of owners, operators, or users of the bulk 
power system to take to ensure the reliability of the bulk power system. Such alerts 
require NERC Board approval before issuance. These alerts are not mandatory, and 
NERC has no enforcement authority regarding these alerts, but NERC believes they 
can be a very useful tool in communicating to industry participants actions that are 
needed on an immediate basis to protect bulk system reliability. 

Amendment 

Question 1. What were the results of the August 2007 NERC survey sent 
to owners and operators regarding the status of the sector’s implementa- 
tion of the Aurora mitigation efforts? Please provide the Committee with 
a copy of the survey and a narrative of the results. 

Response: The written follow-up survey was distributed on October 19, 2007. 
Survey responses were received from 133 entities. The respondents included gener- 
ating plant owners, generating plant operators, transmission owners, transmission 
operators, and load-serving entities, the respondents ranged from very large, 
multistate investor-owned utilities to small municipal utilities. Responses were re- 
ceived from all eight reliability regions. 

The results of the survey indicate 94% of the mitigation measures recommended 
in the June 21 ES-ISAC advisory are completed or are in progress. This 94% con- 
sists of 60% completed and 34% in progress. The remaining 6% are not being per- 
formed for a variety of reasons (not applicable due to nature of equipment, being 
done by another entity, could compromise reliability rather than help reliability). 

The respondents indicated they are taking a prioritized approach to the mitigation 
measures in applying them to their facilities. All respondents with nuclear facilities 
indicated they have completed the mitigation measures associated with those facili- 
ties and are working on other, smaller facilities on a prioritized basis. 

Note: ES-ISAC, ELECTRICITY SECTOR, INEORMATION SHARING AND 
ANALYSIS CENTER, OPERATED BY NERC, “ESISAC Advisory Follow-up Sur- 
vey”, October 19, 2007, see committee file. 

Questions from the Honorable Paul Broun, Jr., a Representative in 
Congress from the State of Georgia 

Responses Submitted by Greg Wilshusen 

Responses from David A. Powner 

Director, Information Technology Management Issues 

Questions: In your review of the various programs in the federal govern- 
ment and the private sector to secure control systems, (1) do you identify 
any clear gaps in efforts? (2) As well are there any clearly duplicative pro- 
grams working in parallel? (3) Are there initiatives that don’t exist that 
should? 

Responses: (1) We have identified gaps in programs in the federal government 
and private sector to secure control systems. As we reported in September 2007, ^ 
The National Strategy to Secure Cyberspace ^ directs the Department of Homeland 
Security, in coordination with the Department of Energy and other agencies, to 
work in partnership with private industry in increasing awareness of the impor- 
tance of efforts to secure control systems, developing standards, and improving poli- 
cies with respect to control systems security. However, we reported that the federal 
government does not yet have an overall strategy for guiding and coordinating con- 
trol systems security efforts across the multiple agencies and sectors. In addition, 
more can be done to coordinate related control system activities within and across 
sectors and across the government. For example, while the Department of Energy 
has led the development of an industry road map to secure control systems for the 
energy sector, we have not seen evidence that other sectors, such as transportation, 
have developed such road maps. Another gap we reported is that the Department 


1 GAO, Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under 
Way, hut Challenges Remain, GAO— 07-1036 (Washin^on, D.C.: Sept. 10, 2007).. 

2 The White House, The National Strategy to Secure Cyberspace (Washington, D.C.: February 
2003). 
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of Homeland Security lacks a rapid, efficient process for disseminating sensitive in- 
formation to private industry owners and operators of critical infrastructures. 

(2) We reported that overlapping and possibly duplicative control systems security 
activities may exist. For example, there are multiple efforts underway to develop 
standards for control systems security. These include industry specific standards, 
such as the North American Electric Reliability Corporation standards and the 
American Gas Association standards, as well as more general standards, such as the 
ISA (formerly the Instrumentation, Systems, and Automation Society) standards 
and, within the federal government, the National Institute of Standards and Tech- 
nology standards. Each has different levels of specificity, and the opportunity exists 
to better coordinate and harmonize these standards. 

(3) With respect to your question on initiatives, actions could be taken to reduce 
or eliminate gaps and duplicative activities discussed above. For example, we pre- 
viously recommended that the Department of Homeland Security develop a govern- 
mentwide strategy for securing control systems. As it moves forward with this ef- 
fort, it should take the opportunity to identify and coordinate the activities de- 
scribed above and other control systems activities. In addition, industry experts 
spoke of the beneficial value of the activities of the national laboratories in working 
with control systems vendors and operators and the benefit of possibly expanding 
such activities. 


In responding to these questions, we relied on previous audit work we preformed 
in developing our report on critical infrastructure control systems, as well as ongo- 
ing work examining security of control systems. 

o 
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